When I was searchng with the following query for one day,
sourcetype=web_access | chart count by sourceIP
There wass the following message in the banner below the Search bar;
Limit (50000 results) reached. Some fields may have been ignored.
And I noticed the result never went over 50,000. How can I increase the limit?
This means that you hit the number of the row with the limit, 50,000, in "chart" command. There were more than 50,000 different source IPs for the day in the search result.
The chart command's limit can be changed by [stats] stanza.
So, you can increase the number by [stats] stanza in limits.conf.
[stats] maxresultrows = 100000 maxresultrows * Maximum number of result rows to create. * If not specified, defaults to searchresults::maxresultrows (which is by default 50000).
The default value of 50000 can be modified by editing the [searchresults] stanza in limits.conf:
[searchresults]
maxresultrows = 100000
Depending on the search command, you might reached the max limit of stats, top, or join. You can changed these limits in limits.conf.
Also, you might find the limit of searchreesutls is still 50k by checking the search in audit.log or search.log in the dispatch directory.
This means that you hit the number of the row with the limit, 50,000, in "chart" command. There were more than 50,000 different source IPs for the day in the search result.
The chart command's limit can be changed by [stats] stanza.
So, you can increase the number by [stats] stanza in limits.conf.
[stats] maxresultrows = 100000 maxresultrows * Maximum number of result rows to create. * If not specified, defaults to searchresults::maxresultrows (which is by default 50000).
Thanks, the_wolverine 🙂
Be warned though, increasing the limit can cause instability in user's browsers. I once bluescreened a workstation due to OOM issues when tweaking this setting.
setting maxresultrows under [stats] did not work for our environment. As you know we have a high count of events. As I posted below, it required setting this under [searchresults].
Path of the file: /data/third_party/splunk/etc/system/local
Under [searchresults], maxresultsrow
changes the value from 50000 to 500000.
But still see, only 50000 results for any Query to Splunk, though there are 5600000 Events existing in the database.
vm30esa0072:rtestuser 116] /data/third_party/splunk/bin/splunk dispatch "* starttime=04/11/2017:00:00:00 endtime=04/12/2017:23:59:00 | stats count" -auth admin:changeme
1686815
==> Totally there are 16 Lakhs around Events/Results in the Splunk DB. But get only 50K Results...!!
[searchresults]
maxresultrows = 5000000
tocsv_maxretry = 5
tocsv_retryperiod_ms = 500
Need the help in getting all the 56 Lakhs around events in the Splunk DB, when we Query the Splunk.