Splunk Search

Increase 'Top 10' field values in Search App, increase limits of counted variations >100

Thomas_Gresch
Explorer

I would like to increase the number of field-variations shown in brackets on the left of the search-app next to each field. We have about 120 servers running, and currently splunk shows only up to 100 variations per field:

balance_pool (12)
dest_host (>=100)
url (=>100)
src_host (>=100) 

If we could see values till 150 (risking some performance loss), I would have important information inline, instead of having to dig deeper every time. Does anybody know if that can be changed and if yes: where?

Another nice thing would be to increase the top 10 show in the floating window to a higher value.

Tags (1)
1 Solution

sideview
SplunkTrust
SplunkTrust

I dont believe there is any way to raise the distinct count of the field values in the sidebar. If it were configurable anywhere I'd think you'd see it either in the spec for limits.conf or in the REST docs but I dont see anything in either place.

http://www.splunk.com/base/Documentation/latest/Admin/Limitsconf

http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch

I can however answer the second question. The MultiFieldViewer and SuggestedFieldViewer modules each have a 'count' param. It's optional and it defaults to 10, but you can raise this to 20 and it should then show the top 20 values in the modal popup layer instead of the top 10.

And although this doesnt really answer your question you might find it interesting--- if you ever want to see the exact distinct counts for every field, you can always run this:

<your search> | stats dc(*) as * | transpose 1000 | rename "row 1" as count, column as field

The discover app on splunkbase uses a search like this to give the user a choice of fields to analyze in 'discover reports'

View solution in original post

sideview
SplunkTrust
SplunkTrust

I dont believe there is any way to raise the distinct count of the field values in the sidebar. If it were configurable anywhere I'd think you'd see it either in the spec for limits.conf or in the REST docs but I dont see anything in either place.

http://www.splunk.com/base/Documentation/latest/Admin/Limitsconf

http://www.splunk.com/base/Documentation/latest/Developer/RESTSearch

I can however answer the second question. The MultiFieldViewer and SuggestedFieldViewer modules each have a 'count' param. It's optional and it defaults to 10, but you can raise this to 20 and it should then show the top 20 values in the modal popup layer instead of the top 10.

And although this doesnt really answer your question you might find it interesting--- if you ever want to see the exact distinct counts for every field, you can always run this:

<your search> | stats dc(*) as * | transpose 1000 | rename "row 1" as count, column as field

The discover app on splunkbase uses a search like this to give the user a choice of fields to analyze in 'discover reports'

theouhuios
Motivator

Is this still valid in Splunk 6? I have changed the values in both the conf files but dont see more than 10 values.

0 Karma

ahattrell_splun
Splunk Employee
Splunk Employee

To expand on the above for the less experienced - if you wish to increase the number of results shown when you click on a field you need to edit this file:

{splunk install}/share/splunk/search_mrsparkle/modules/results/SuggestedFieldViewer.conf

and add a stansa:

[param:count]
required = False
default = 20

Thoroughly document this change in your local processes as an upgrade will overwrite your changes. Given that this is not a documented feature of the product it's also probably liable to change in future releases without notice. The value of your investment could go up as well as down.

0 Karma

Thomas_Gresch
Explorer

Thanks nick! Great answer and a big help already!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...