Solved: Is there a way to increase the results limit of sa...

ddrillic · ‎10-02-2017

We reached the limit of 500K results per saved search. We wonder if we can increase to, let's say 10 million, for one specific app.

We see Is there a setting for the maximum number of results that can be written to a summary index from a s...

But it doesn't refer to one specific app.

abhishekreddy · ‎10-02-2017

Change the dispatch.max_count in savedsearches.conf and place it in $SPLUNK_HOME/etc/apps/appName/local

View solution in original post

abhishekreddy · ‎10-02-2017

Change the dispatch.max_count in savedsearches.conf and place it in $SPLUNK_HOME/etc/apps/appName/local

ddrillic · ‎10-03-2017

Great! on the search heads, right? sanity check ; -)

abhishekreddy · ‎10-03-2017

Obviously 😛

ddrillic · ‎10-03-2017

; - ) interestingly, the following Why are only 10,000 events making it into the summary index?

says -

-- ALSO, in etc/system/local/limits.conf (create it if it doesn't exist), under the [scheduler] stanza, set max_action_results=100000 (or a limit of your choosing).

Not sure if it's applicable ...

ddrillic · ‎10-10-2017

Not much luck so far -

Is there a way to increase the results limit of saved searches per app?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio