Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search generated too much data...

terryloar
Path Finder
‎04-23-2012 03:51 PM

Has anyone run into this message?

"Search generated too much data for the current display configuration, results have been truncated"

The search is for collecting and grouping latency times (spent).

source="/opt/splunk/var/log/splunk/web_access.log"

| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)

Tags (2)
Reply

kbecker
Communicator
‎09-29-2016 08:31 AM

This does increase the value but there is still an upper limit that is hard coded

0 Karma
Reply

davidpaper
Contributor
‎09-29-2016 08:26 AM

Hi,

I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.

< option name="charting.data.count" >9999 </ option >

to get around the 1000 point limitation in timechart.

Reply

kbecker
Communicator
‎09-29-2016 08:09 AM

Have you opened a support ticket with Splunk, we are trying to get them to remove these limits and more customers will help drive this.

0 Karma
Reply

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 11:06 AM

For simple XML, in 5.0.3.1 and above, you can set the config as below in $SPLUNK_HOME/etc/system/local/web.conf
[settings]
simple_xml_force_flash_charting = true

For Advanced XML, change

layoutPanel="graphArea"> in
etc/apps/search/default/data/ui/views/charting.xml to
FlashChart.

Hope This Helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...