Splunk Search

Likely Bug With Transaction MaxEvents

SplunkPersonal
Path Finder

Hello,

I'm using transaction to process events. Per the documentation (https://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Transaction), I set maxevents to a negative number so there is no limit. I only get 500 results however. But if I change maxevents to 5000 events, I get 2700 events with the exact same query.

Can you confirm this is not working as intended with a negative value for maxevents?

Thank you.

Tags (1)

simonzfor
Explorer

I have a similar issue where I have an expected of about 1500 events in a transaction. If I set maxevents to 1000, I get two different transactions. If I set maxevents to too big or disable it by using a negative value, they get excluded entirely from the end result. I find this behavior very strange.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...

Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents

Tech Talk Inside Event Intelligence: How ITSI Turns Network Alerts into Actionable Incidents   Correlating ...

Observability Simplified: Combining User Experience, Application Performance & ...

  Tech Talk Network to App: Observability Unlocked   Today’s digital environments span applications, ...