Splunk Search

The sort command is truncating output to 10000 rows

efelder0
Communicator

I am receiving the following message:

"The sort command is truncating output to 10000 rows"

How do I resolve this so that I can get all my data?

thx

Tags (2)
1 Solution

Drainy
Champion

As per;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sort

It is automatically limited to 10000 if you don't specify. If you do;

 | sort 0 field

then it will return all results.

View solution in original post

Drainy
Champion

As per;

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/sort

It is automatically limited to 10000 if you don't specify. If you do;

 | sort 0 field

then it will return all results.

efelder0
Communicator

thanks, work fine now..

0 Karma

ElijahLynn
Explorer

I downvoted this post because this should be a comment not an answer.

0 Karma

Anam
Community Manager
Community Manager

Hi ElijiahLynn

Downvoting users should be reserved for suggestions that could be potentially harmful to someone's Splunk environment. Also, giving a reason as "answer should have been a comment" is unnecessary, and this is not how Splunk community etiquette works in this forum. The downvote form is supposed to be used to help educate the community to learn and improve based on the context provided.

Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high-quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested. If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

ElijahLynn
Explorer

Okay, good to know. I was following Stack Overflow guidelines because this site is a Stack Overflow clone. This community will probably get more comments like mine because that is the guidance Stack Overflow gives for downvoting things, as long as it keeps a Stack Overflow/Exchange like appearance, undistinguished.

I will adopt to your suggestons as a member of this community, thanks for the heads up.

ppablo
Retired

Hi @ElijahLynn

Thanks for understanding and being receptive to adjusting to this Splunk community forum and culture. I also appreciate that you were just trying to correct where users should be posting certain responses. We hear from users in the community very often that they appreciate feeling like they can contribute here without the fear of being shunned so quickly by others like they experience in other forums. So, we just want to maintain that positive and constructive environment.

I appreciate your note about the similar look/feel of Stack Overflow/Exchange warranting similar guidance. Will definitely consider that for the future.

Thanks for contributing your knowledge here with the Splunk Community!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...