Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search generated too much data...

terryloar
Path Finder
‎04-23-2012 03:51 PM

Has anyone run into this message?

"Search generated too much data for the current display configuration, results have been truncated"

The search is for collecting and grouping latency times (spent).

source="/opt/splunk/var/log/splunk/web_access.log"

| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)

Tags (2)
Reply

kbecker
Communicator
‎09-29-2016 08:31 AM

This does increase the value but there is still an upper limit that is hard coded

0 Karma
Reply

davidpaper
Contributor
‎09-29-2016 08:26 AM

Hi,

I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.

< option name="charting.data.count" >9999 </ option >

to get around the 1000 point limitation in timechart.

Reply

kbecker
Communicator
‎09-29-2016 08:09 AM

Have you opened a support ticket with Splunk, we are trying to get them to remove these limits and more customers will help drive this.

0 Karma
Reply

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 11:06 AM

For simple XML, in 5.0.3.1 and above, you can set the config as below in $SPLUNK_HOME/etc/system/local/web.conf
[settings]
simple_xml_force_flash_charting = true

For Advanced XML, change

layoutPanel="graphArea"> in
etc/apps/search/default/data/ui/views/charting.xml to
FlashChart.

Hope This Helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...