Splunk Search
Highlighted

Why is there a 10000 rows limit?

Builder

I ran a search which should show more than 10000 rows, but I get only 10000 rows back on the result.
Is this a limitation?

Tags (2)
0 Karma
Highlighted

Re: Why is there a 10000 rows limit?

Champion

Hi

Are you using sort command? It defaults results to 10K, but you can unlimit it by using sort 0.

View solution in original post

Highlighted

Re: Why is there a 10000 rows limit?

Builder

Thanks, it was the sort usage.. its fixed now..

0 Karma
Highlighted

Re: Why is there a 10000 rows limit?

Motivator

You are likely running a join or something similar. All the limits are configured under limits.conf. Be very careful about changing them though because they can have a big impact on performance!

There are ways of doing joins without the "join" command. I suggest you post the search you are trying to perform so that someone can help you build out the more efficient search without the join.

Hope this helps

0 Karma
Highlighted

Re: Why is there a 10000 rows limit?

Builder

thanks for your reply, it was the usage of sort which was causing it..

0 Karma