Splunk Search
Highlighted

Splunk Search limits results to 1000 events only

Path Finder

The following Search command:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

results to only 1000 events. A bang displays the following message:

"Currently displaying the most recent 1000 events in the selected range. Select a narrower range or zoom in to see more events"

Objective: to see all events in the last 24 hours .

Thanks

UA

Tags (1)
Highlighted

Re: Splunk Search limits results to 1000 events only

SplunkTrust
SplunkTrust

What was the time range selected in the timerange picker. Meanwhile, try this

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h
Highlighted

Re: Splunk Search limits results to 1000 events only

Path Finder

The time range was past 24 hours

0 Karma
Highlighted

Re: Splunk Search limits results to 1000 events only

Path Finder

Same error was observed. I am sure there might be a limit set up in one of the config files.

0 Karma
Highlighted

Re: Splunk Search limits results to 1000 events only

SplunkTrust
SplunkTrust

and you're seeing the result in Events tab or Visualization tab? What do you want to do with the data returned?

0 Karma
Highlighted

Re: Splunk Search limits results to 1000 events only

Path Finder

in the Events tab. I normally would like to see all errors for the last 24 hours. I browse through these to see if anything critical has occurred.

0 Karma
Highlighted

Re: Splunk Search limits results to 1000 events only

Communicator

At the end of your search add this:

| table * 

This will cause splunk to return "results" instead of "events", and the restriction will be removed.

You can use a more specific table, or any aggregating command to get the same result.,This has to do with the difference between "events" and "results." For performance, splunk will only pull the first 1000 events back to the SH, but this restriction does not apply to results.

Highlighted

Re: Splunk Search limits results to 1000 events only

Path Finder

Thank you. This post helped me solve a long overdue problem. Points awarded!

0 Karma
Highlighted

Re: Splunk Search limits results to 1000 events only

Motivator
I think that this search code will help 
 error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h 
0 Karma