Splunk Search

Why is there a 10000 rows limit?

jiaqya
Builder

I ran a search which should show more than 10000 rows, but I get only 10000 rows back on the result.
Is this a limitation?

Tags (2)
0 Karma
1 Solution

vnravikumar
Champion

Hi

Are you using sort command? It defaults results to 10K, but you can unlimit it by using sort 0.

View solution in original post

aholzer
Motivator

You are likely running a join or something similar. All the limits are configured under limits.conf. Be very careful about changing them though because they can have a big impact on performance!

There are ways of doing joins without the "join" command. I suggest you post the search you are trying to perform so that someone can help you build out the more efficient search without the join.

Hope this helps

0 Karma

anil1432
Explorer

Can you please solve the query .

Issue with limits.conf

(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval

 platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate

0 Karma

jiaqya
Builder

thanks for your reply, it was the usage of sort which was causing it..

0 Karma

vnravikumar
Champion

Hi

Are you using sort command? It defaults results to 10K, but you can unlimit it by using sort 0.

View solution in original post

jiaqya
Builder

Thanks, it was the sort usage.. its fixed now..

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!