Splunk Search

Search Query Limitation displaying only 800000 records

kishen2017
Path Finder

Hi All,

Facing an issue with splunk search query hitting limitation with 800000 records.
On this below query, SLR001 total count is displaying as 800000 but the actual records in index for SLR001 is more than 900000.
Search query is limiting the records returned for SLR001 at 800000.

I tried changing maxresultrows config value in limits.conf but it doesnt work.
Also i tried using append maxout command with higher value but it did not work.

Appreciate any help on this to display SLR001 total count value to more than 800000 records.

Query Used:

(index=sumidx_slr006 search_stage=slr006) OR (index=sumidx_slr002 stage=transaction slr=slr002) OR (index=sumidx_slr003 slr=slr003 stage=transaction) OR (index=sumidx_slr004 search_name="sumidx_slr004") |append [search index="sumidx_slr001" search_name="sumidx_slr001" |dedup isoClearSysRef]
| eval SLR_name=case(index="sumidx_slr006","SLR006",search_name="sumidx_slr001_change2","SLR001",index="sumidx_slr002","SLR002",index="sumidx_slr003","SLR003",index="sumidx_slr004","SLR004")
| stats count(eval(SLR_status="Breached")) AS Breached,count(eval(SLR_status="Breached" OR SLR_status="Not Breached")) as Total by SLR_name

Output:

SLR_name Breached Total

SLR001 315 800000
SLR002 141 1378539
SLR003 1792 1349458
SLR004 17 231518
SLR006 13 220741

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...