Splunk Search

scrub command returning 50000 results

chrisw3
Explorer

Looking for confirmation that I've found the right setting.

When i run:

query
| stats count

I see 400,000 events.

When I run

query
| scrub

It only returns 50,000.

Looking through documentation and other posts, it appears that the bottleneck is the maxresultrows setting in limits.conf but there's nothing that confirms this. Am I in the right place or is there another setting that I should adjust?

1 Solution

chrisw3
Explorer

Sharing the answer I found after working with the Splunk team to dig this out.

There's no call to the python SDK so that doesn't appear to impact anything.

Turns out that the answer is maxresultrows setting in limits.conf. This limits the search to 50,000.

However, there's a second limitation underneath the commands.conf file that is required as well.

commands.conf
[scrub]
maxinputs = integer

From documentation:
* Maximum number of events that can be passed to the command for each invocation.
* This limit cannot exceed the value of maxresultrows in limits.conf.
* 0 for no limit.
* Defaults to 50000.

The smallest of the values of maxresultrows and maxinputs will be the value that is returned.

Hopefully this saves someone a few minutes of clicking.

View solution in original post

chrisw3
Explorer

Sharing the answer I found after working with the Splunk team to dig this out.

There's no call to the python SDK so that doesn't appear to impact anything.

Turns out that the answer is maxresultrows setting in limits.conf. This limits the search to 50,000.

However, there's a second limitation underneath the commands.conf file that is required as well.

commands.conf
[scrub]
maxinputs = integer

From documentation:
* Maximum number of events that can be passed to the command for each invocation.
* This limit cannot exceed the value of maxresultrows in limits.conf.
* 0 for no limit.
* Defaults to 50000.

The smallest of the values of maxresultrows and maxinputs will be the value that is returned.

Hopefully this saves someone a few minutes of clicking.

David_Naylor
Path Finder

Hey Chrisw3,

Unfortunately, I do not believe this is a setting you can change. To test I went changed every value in limits.conf from 50000 to 50100. scrub still came back with only 50,000 results.

Additionally, I believe this is a constraint of the command itself. Because it is calling a python script on the backend which is using the 1.x SDK which limits transforming searches to 50k results. I believe the 50k limit is a limit of the SDK and is not configurable anywhere.

Sorry and goodluck! -David

0 Karma

chrisw3
Explorer

Do you have anything you can point me to for the limit on the 1.x SDK limit?

0 Karma

David_Naylor
Path Finder

This "Best of Splunk" .conf 2017 talk on the python sdk v2 lists the 50k limit as a negative of v1

http://conf.splunk.com/sessions/2017-sessions.html#search=Extending%20SPL%20with%20Custom%20Search%2...

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...