- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the maximum number of rows we get when we ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the maximum number of rows we get when we use table command?
Environment: Splunk Cloud
I am running the below search with table command. The data which I am searching is very huge and it exceeds more than 600,000 rows. But the query got stuck at 500,000 rows. When I stop the query, it failed as it got expired.
What is the maximum number of rows this query can result? Or is there any limitation on disk quota for the search (for admin role)?
Query:
index=firewall | search action=allowed | table _time, srcip, dstip, srcport, dstport, action | lookup ip_intel ip as srcip OUTPUT description threat_key domain | search description!="" | table _time srcip dstip srcport dstport action description domain threat_key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The table command is a finalizing command which means that it stops the map-reduce work on the Indexers causes all remaining partial results and commands to be pulled to the Search Head. This is why it should always be the VERY LAST command and fields should be used in the middle (if anything at all). It has no maximum but it is easy to use up all the RAM available to your Search Head in your browser which will then cause it to truncate. Check the search.log in the Job inspector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe this is exactly correct. I just ran a large table query on a machine with plenty of RAM and it "seemed to cap" at exactly 500k rows also. Then, a bit after the query itself completed, the table suddenly updated to 4M rows. That cannot be a coincidence, I think there must be a "first pass" size or something in the backend jobs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Splunk Cloud there are some constrains, but I did not find it on the Splunk Cloud document about restrictions to output the limits of rows as a result.
For further information ->https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/Service/SplunkCloudservice#Splunk_Cloud_serv...
For sure, Splunk Cloud should have setup some configuration to avoid long running searches. It is required to keep a good performance on Splunk Cloud. I suggest to open a case with splunk support to report the issue you are having and also request for them about the parameters configuration for your environment.
I also suggest a change to your report in order to get only the required fields for this report using the fields command. Please tweak your report to see if there is any other improvement you can apply.
It can be something like this:
index=firewall action=allowed
| fields _time, srcip, dstip, srcport, dstport, action
| table _time, srcip, dstip, srcport, dstport, action
| lookup ip_intel ip as srcip OUTPUT description threat_key domain
| search description!=""
| table _time srcip dstip srcport dstport action description domain threat_key
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
