Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using sort 0 to avoid 10000 row limit

leica0000
Engager
‎05-19-2020 12:47 AM

alt text

Sorry for the silly attention-grabbing dancing question mark. 🙂

Thanks for any help on this. I've had to dive into the deep end of Splunk with no previous exposure for various staffing reasons, so please forgive my ignorance.

I'm trying to get my use of the sort 0 command (to override the 10k scheduler output limitation. I'm using the cloud version so no control on the conf files on the server or anything like that.

Where am I still missing a sort 0?!?

I've got this, but it's still truncating all rows after 10,000 rows.

Thing.process.valid.request OR herschel.update.job.completed

| transaction activity_id startswith="Thing.process.valid.request" endswith="herschel.update.job.completed"

| eval start_time=_time

| eval end_time=_time+duration

| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(start_time) AS ThingPackager_Start

| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(end_time) AS Sent_To_Thing

| eval delay_hours = round(duration/60/60, 2)

| rename activity_id AS tar_name

| eval media_assetID=substr(tar_name,1,12)

| sort 0 end_time

| stats first  as *, first(_*) as _* by media_assetID

| table Thing_Start Sent_To_Thing start_time end_time Thing_id tar_name media_assetID delay_hours | sort 0 by delay_hours desc

Thank you for any help, I'm going bonkers trying to get my head around this syntax.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎05-19-2020 08:48 AM

You're hitting a limit in your transaction command. I'd also recommend adding sort AFTER your reporting command stats

0 Karma
Reply

to4kawa
Ultra Champion
‎05-19-2020 07:31 AM

This is not due to sort
see reference:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Btransactions.5D

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...