- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Query returns only 50000 Events/Results Lis...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Query returns only 50000 Events/Results List totally though total Events/Results are almost 56Lakh Events.
Hi Splunk Users,
Observing an Issue while I try to Query the Splunk for
Search Query returns only 50000 Events/Results List totally though total Events/Results are almost 56Lakh Events.
Please, help in resolving this issue is much needed.
Let me know what settings do I need to make in any of the Splunk configuration files.
Thanks & Regards,
Dharmendra Setty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You set the maxresultrows to 5 million, when Splunk specifies that it cannot be more than 50 thousand. From the documentation:
* This limit should not exceed 50000. Setting this limit higher than 50000
causes instability.
* Defaults to 50000.
It is a wonder that your Splunk did not simply crash. What are you trying to do where over 50K of raw events will be useful? That is many more events that anyone could possibly examine. If you categorize your data, Splunk will be able to produce up to 50K rows of results, which could summarize your "lakh" events. Splunk can search all those events, but it cannot return that many results to the browser!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for sharing the limitation on Splunk end.
My requirement is:
1. Triggering a Search Query, to get the mails between start time:: '04/11/2017:12:30:00',
end time::'04/12/2017:09:59:00'. Current my Splunk DB is having 30000 Mails in it.
NOTE: Every mail has between 12 to 40 Events in it. So on an average it will be like 26 Events in each mail.
So it will be 7,80,000 Events.
To address this requirement I queried for all data between these durations, where I ended up in getting only 50 Events totally from the Query Response.
Any other idea to overcome this limitation & still get all the 7,80,000 Events?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried below for lessers Mails, say which comes to around 16Lakhs Events/Results: [BUT NO LUCK...!!]
vm30esa0072:rtestuser 116] /data/third_party/splunk/bin/splunk dispatch "* starttime=04/11/2017:00:00:00 endtime=04/12/2017:23:59:00 | stats count" -auth admin:changeme
count
1686815
==> Totally there are 16 Lakhs around Events/Results in the Splunk DB. But get only 50K Results...!!
limits.conf file snippet:
Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 3.0
DO NOT EDIT THIS FILE!
Please make all changes to files in $SPLUNK_HOME/etc/system/local.
To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
into ../local and edit there.
This file configures various limits to the Splunk's search commands.
CAUTION: Do not alter the settings in limits.conf unless you know what you are doing.
Improperly configured limits may result in splunkd crashes and/or memory overuse.
[searchresults]
maxresultrows = 5000000
maximum number of times to try in the atomic write operation (1 = no retries)
tocsv_maxretry = 5
retry period is 1/2 second (500 milliseconds)
tocsv_retryperiod_ms = 500
Thanks & Regards,
Dharmendra Setty
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many search commands have limit, not just searchresults.
What is your search ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for sharing the limitation on Splunk end.
My requirement is:
1. Triggering a Search Query, to get the mails between start time:: '04/11/2017:12:30:00',
end time::'04/12/2017:09:59:00'. Current my Splunk DB is having 30000 Mails in it.
NOTE: Every mail has between 12 to 40 Events in it. So on an average it will be like 26 Events in each mail.
So it will be 7,80,000 Events.
To address this requirement I queried for all data between these durations, where I ended up in getting only 50 Events totally from the Query Response.
Any other idea to overcome this limitation & still get all the 7,80,000 Events?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is your search? Most likely you are hitting a limit. In which case job inspector will give you the reason what is limiting your result set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pradeep,
How to use the job inspector to check the limiting of results to only 50000?
Index This | Divide 100 by half. What do you get?
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
