Hello,
I am using the stats command with the list() function. Unfortunately, for some groupings the list size exceeds Splunk's limit. Is there a setting in limits.conf or anywhere else where I can increase this limit? Using values() instead of list() will not work for me, as I need to keep the sequence of events, as well as duplicate values.
Error message:
'stats' command: limit for values of field 'xxx' reached. Some values may have been truncated or ignored.
I was able to resolve the issue by adding the following to limits.conf
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000
try using table and dedup together
values allows the list to be much longer but it also removes duplicate field values and sorts the field values.
This limits.conf might help you:
list_maxsize = <int>
* Maximum number of list items to emit when using the list() function stats/sistats
* Defaults to 100
Does it resolve the problem, I face the same issue
Do you put it on the right stanza?
[stats]
list_maxsize = 300
[sistats]
list_maxsize = 300
i tried this, but this does not work!
note that this must be under a [stats] and/or [sistats] stanza within a limits.conf in order to work right!
What's your use case? Maybe there's a way to go without list()
.