When I sort my data by some field, by default its has limit of 10,000 rows. If I use attribute count=0 along with sort command it removes this limit. I want to know if I can do any settings or change any parameter in any conf file, so that next time I don't have to use "count=0" in order to avoid the limit of 10,000 rows.
well, there is a limits.conf file, but its not having any options for sort command.
one more thing - you were saying "sort count=0"
actually, we need not include "count=".. just add a "0" after sort.
so, to get all results we have to run
- for example to sort by host
<source> | sort 0 host
from splunk's developer point of view, this does not require a config file editing, processing the config file, etc.,.. after "sort", all you need to add is just "a space, 0, another space" ("0").
i think the developers usually do this as a general a way of making the users to learn the commands and tools (the linux commands and tools, for example vi, sed .. all full of these small twists and turns 😉 )