SPL-58112 -> Metadata results from this peer are i...

lpolo · ‎01-02-2013

After upgrading to 5.0.1 splunk is reporting this message:

"Metadata results from this peer are incomplete: the peer has over 100000 entries".

In the release notes you can find this note:

"Metadata results from this peer are incomplete: the peer has over 100000 entries". message in the summary dashboard in large environment (SPL-58112). To work around this issue, increase the value of [metadata] maxcount=500000 in limits.conf.

Therefore, maxcount was increased as recommended. However, splunk is now reporting this message:

Metadata results from this peer are incomplete: the peer has over 500000 entries (see parameter maxcount under the [metadata] stanza in limits.conf), and it will only return metadata information for the first 500000 entries that it encountered. (sid=1357140286.3)

Any recommendations....

Thanks,
Lp

raziasaduddin · ‎03-19-2013

Two Options

1) Bump that number up in the limits.conf to something very high
2) I am assuming you get that message on the search app's main live dashboard. You can edit that search syntax in the xml to display a fixed amount or play with those options.
The file is in:
\$Splunk_Home$\etc\system\default\data\ui\views

SPL-58112 -> Metadata results from this peer are incomplete

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!