Splunk Search
Highlighted

how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

New Member

Hi,

I am using the stats command with the list() function. , i am getting below error.

Error :
'stats' command: limit for values of field 'xxx' reached. Some values may have been truncated or ignored.

WARN StatsProcessor - 'stats' command: limit for values of field 'userid' reached. Some values may have been truncated or ignored.
ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web
Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.

i have configured limit.conf
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000
Unfortunately , after setting in limit.conf , unable to fix this issue.
anyone help me on this issue

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

Motivator

Did you cycle Splunk after modifying limits.conf?

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

New Member

if you talking about after modify limits.conf , need to restart limilts.conf so after modify limits.conf , i had restarted splunk

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

Super Champion

can u please put your SPL which has stats function?
I don't think it is a limits.conf issue as there might be improvement scope in the SPL

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

Motivator

You have an errant pipe in your search between main and dedup:

ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web_Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.
0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

New Member
<query> 
|dedup user_id  |stats list("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
</query>
    </search>
0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

SplunkTrust
SplunkTrust

Hi there,

Try this :

[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

From here :
https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

Seems like they have the same issue.

Cheers,
David

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

New Member

Hi ,
below solution is not working :
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

SplunkTrust
SplunkTrust

Oh, if this is your query then you need to remove the pipe from in front of dedup and instead go for values function not the list function 😄

 |stats values("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
0 Karma
Highlighted

Re: how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

New Member

I have removed pipe but still see errror and not able to see last column duration value

latest query:

dedup user_id | eval duration = round(duration,2) | eval duration=tostring(duration,"duration") | sort group,user_id | where bytes_in >0 |stats list("user_id") as User,list("dest_domain") as Application,list("bytes_in") as Bandwidth_used, list("duration") as Time by group
| rename group AS "AD Group"
</query>

warning :
19 08:46:33.559 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:33.890 -0700 WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored.
05-08-2019 08:46:34.153 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:36.159 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently.
05-08-2019 08:46:36.182 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently

0 Karma