Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search generated too much data...

terryloar
Path Finder
‎04-23-2012 03:51 PM

Has anyone run into this message?

"Search generated too much data for the current display configuration, results have been truncated"

The search is for collecting and grouping latency times (spent).

source="/opt/splunk/var/log/splunk/web_access.log"

| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)

Tags (2)
Reply

kbecker
Communicator
‎09-29-2016 08:31 AM

This does increase the value but there is still an upper limit that is hard coded

0 Karma
Reply

davidpaper
Contributor
‎09-29-2016 08:26 AM

Hi,

I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.

< option name="charting.data.count" >9999 </ option >

to get around the 1000 point limitation in timechart.

Reply

kbecker
Communicator
‎09-29-2016 08:09 AM

Have you opened a support ticket with Splunk, we are trying to get them to remove these limits and more customers will help drive this.

0 Karma
Reply

uuppuluri_splun
Splunk Employee
Splunk Employee
‎12-19-2013 11:06 AM

For simple XML, in 5.0.3.1 and above, you can set the config as below in $SPLUNK_HOME/etc/system/local/web.conf
[settings]
simple_xml_force_flash_charting = true

For Advanced XML, change

layoutPanel="graphArea"> in
etc/apps/search/default/data/ui/views/charting.xml to
FlashChart.

Hope This Helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...