Splunk Search

Search is truncating results to a smaller result set after completion

erikross
Explorer

Hello,

I'm running a fairly complex search using transactions in order to identify an error occurring in a distinct user session.

source=product event_type=video_heartbeat | sort by video_session_id, tx_sequence | transaction video_session_id video_progress maxpause=35s | search eventcount>1 | stats count by user_id 

Essentially, if a user has the same video_session_id and video_progress, this indicates that their video has stopped playing. I'm trying to find out how many users are simultaneously encountering this error.

The search itself is correct--if I insert a userId then it will properly find all video pauses for this user. When I remove the filter I encounter strange behavior. I will search across a set date/time, and the search will retrieve 11 distinct users, list them off...and then truncate the list down to 8. If I switch the stats count by for stats dc(user_id) I encounter the same issue.

I saved the list of 11 user ids that it retrieves during the search and inserted the missing ones as filters, and then all properly appear. Is there a limit to the number of events Splunk can match? I can't think of any reason it would truncate results like this when they are clearly matching.

Thanks for any help.

0 Karma
1 Solution

cramasta
Builder

When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).

sort 0 video_session_id, tx_sequence

Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.

View solution in original post

cramasta
Builder

When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).

sort 0 video_session_id, tx_sequence

Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.

erikross
Explorer

That was it! Thanks very much for your help.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...