Splunk Search

In sort command I want to avoid limit of 10,000 rows without using attribute "count=0". Is there any setting for this in any conf file ?

Path Finder

When I sort my data by some field, by default its has limit of 10,000 rows. If I use attribute count=0 along with sort command it removes this limit. I want to know if I can do any settings or change any parameter in any conf file, so that next time I don't have to use "count=0" in order to avoid the limit of 10,000 rows.

Esteemed Legend

It is a common best practice to ALWAYS use sort 0 instead of sort because of this silly default trimming value.
I am unaware of any way to change this default.

Path Finder

Np. Thanks for answering.

0 Karma

Champion

well, there is a limits.conf file, but its not having any options for sort command.

one more thing - you were saying "sort count=0"

actually, we need not include "count=".. just add a "0" after sort.

so, to get all results we have to run
- for example to sort by host
<source> | sort 0 host

Path Finder

Even I didn't see any parameter in limits.conf which I can use to remove this limit with sort command.

Champion

from splunk's developer point of view, this does not require a config file editing, processing the config file, etc.,.. after "sort", all you need to add is just "a space, 0, another space" ("0").

i think the developers usually do this as a general a way of making the users to learn the commands and tools (the linux commands and tools, for example vi, sed .. all full of these small twists and turns 😉 )

0 Karma