Has anyone run into this message?
"Search generated too much data for the current display configuration, results have been truncated"
The search is for collecting and grouping latency times (spent).
| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)
I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.
< option name="charting.data.count" >9999 </ option >
to get around the 1000 point limitation in timechart.
For simple XML, in 184.108.40.206 and above, you can set the config as below in $SPLUNKHOME/etc/system/local/web.conf
simplexmlforceflash_charting = true
For Advanced XML, change
Hope This Helps!