Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search is truncating results to a smaller result set after completion

erikross
Explorer
‎12-04-2013 10:43 AM

Hello,

I'm running a fairly complex search using transactions in order to identify an error occurring in a distinct user session. 

source=product event_type=video_heartbeat | sort by video_session_id, tx_sequence | transaction video_session_id video_progress maxpause=35s | search eventcount>1 | stats count by user_id

Essentially, if a user has the same video_session_id and video_progress, this indicates that their video has stopped playing. I'm trying to find out how many users are simultaneously encountering this error.

The search itself is correct--if I insert a userId then it will properly find all video pauses for this user. When I remove the filter I encounter strange behavior. I will search across a set date/time, and the search will retrieve 11 distinct users, list them off...and then truncate the list down to 8. If I switch the stats count by for stats dc(user_id) I encounter the same issue.

I saved the list of 11 user ids that it retrieves during the search and inserted the missing ones as filters, and then all properly appear. Is there a limit to the number of events Splunk can match? I can't think of any reason it would truncate results like this when they are clearly matching.

Thanks for any help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cramasta
Builder
‎12-04-2013 11:09 AM

When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).

sort 0 video_session_id, tx_sequence

Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.

View solution in original post

Reply
Solved! Jump to solution
Solution

cramasta
Builder
‎12-04-2013 11:09 AM

When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).

sort 0 video_session_id, tx_sequence

Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.

Reply
Solved! Jump to solution

erikross
Explorer
‎12-04-2013 12:00 PM

That was it! Thanks very much for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...