Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

su_kumar
New Member
‎05-02-2019 10:45 AM

Hi,

I am using the stats command with the list() function. , i am getting below error.

Error :
'stats' command: limit for values of field 'xxx' reached. Some values may have been truncated or ignored.

WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored.
ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web_Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.

i have configured limit.conf
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000
Unfortunately , after setting in limit.conf , unable to fix this issue.
anyone help me on this issue

0 Karma
Reply

koshyk
Super Champion
‎05-08-2019 03:43 AM

can you please try changing your query to

| stats sum(bytes_in) as Total_Bandwidth_User_group dc(user_id) as Total_No_User  by user_id, group
| eventstats sum(Total_Bandwidth_User_group) as Total_Bandwidth by group 
| rename group AS "AD Group"
0 Karma
Reply

DavidHourani
Super Champion
‎05-03-2019 12:03 AM

Hi there,

Try this :

[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

From here :
https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

Seems like they have the same issue.

Cheers,
David

0 Karma
Reply

su_kumar
New Member
‎05-04-2019 08:37 AM

Hi ,
below solution is not working :
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

0 Karma
Reply

DavidHourani
Super Champion
‎05-04-2019 08:39 AM

Oh, if this is your query then you need to remove the pipe from in front of dedup and instead go for values function not the list function 😄 

 |stats values("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
0 Karma
Reply

DavidHourani
Super Champion
‎05-08-2019 02:49 AM

@su_kumar did this work for you using values instead of list?

0 Karma
Reply

DavidHourani
Super Champion
‎05-08-2019 06:59 AM

Replace with the new query I posted here :

|stats values("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
0 Karma
Reply

su_kumar
New Member
‎05-08-2019 02:38 AM

I have removed pipe but still see errror and not able to see last column duration value

latest query:

dedup user_id | eval duration = round(duration,2) | eval duration=tostring(duration,"duration") | sort group,user_id | where bytes_in >0 |stats list("user_id") as User,list("dest_domain") as Application,list("bytes_in") as Bandwidth_used, list("duration") as Time by group
| rename group AS "AD Group"
</query>

warning :
19 08:46:33.559 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:33.890 -0700 WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored.
05-08-2019 08:46:34.153 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:36.159 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently.
05-08-2019 08:46:36.182 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently

0 Karma
Reply

koshyk
Super Champion
‎05-02-2019 11:30 PM

can u please put your SPL which has stats function?
I don't think it is a limits.conf issue as there might be improvement scope in the SPL

0 Karma
Reply

su_kumar
New Member
‎05-04-2019 08:33 AM 
<query> 
|dedup user_id  |stats list("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
</query>
    </search>
0 Karma
Reply

codebuilder
Influencer
‎05-03-2019 09:01 AM

You have an errant pipe in your search between main and dedup:

ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web_Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

codebuilder
Influencer
‎05-02-2019 11:52 AM

Did you cycle Splunk after modifying limits.conf?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

su_kumar
New Member
‎05-02-2019 08:50 PM

if you talking about after modify limits.conf , need to restart limilts.conf so after modify limits.conf , i had restarted splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...