Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search generated too much data...

terryloar
Path Finder
‎04-23-2012 03:51 PM

Has anyone run into this message?

"Search generated too much data for the current display configuration, results have been truncated"

The search is for collecting and grouping latency times (spent).

source="/opt/splunk/var/log/splunk/web_access.log"

| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)

Tags (2)
Reply

kbecker
Communicator
‎09-29-2016 08:31 AM

This does increase the value but there is still an upper limit that is hard coded

0 Karma
Reply

davidpaper
Contributor
‎09-29-2016 08:26 AM

Hi,

I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.

< option name="charting.data.count" >9999 </ option >

to get around the 1000 point limitation in timechart.

Reply

kbecker
Communicator
‎09-29-2016 08:09 AM

Have you opened a support ticket with Splunk, we are trying to get them to remove these limits and more customers will help drive this.

0 Karma
Reply

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 11:06 AM

For simple XML, in 5.0.3.1 and above, you can set the config as below in $SPLUNK_HOME/etc/system/local/web.conf
[settings]
simple_xml_force_flash_charting = true

For Advanced XML, change

layoutPanel="graphArea"> in
etc/apps/search/default/data/ui/views/charting.xml to
FlashChart.

Hope This Helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...