Solved: Re: How to override the 20 line limit for the tabl...

grundsch · ‎12-07-2015

Hi,

It looks like a table view of an embedded report is limited to the first 20 results.
I couldn't find any place where to change this limit. Changing the view before embedding didn't help either...

Can you point me in the right direction?

Thanks,
Steph

efavreau · ‎11-16-2021

@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.

Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )

index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

efavreau · ‎11-16-2021

@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.

Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )

index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter

###

If this reply helps you, an upvote would be appreciated.

grundsch · ‎11-16-2021

Nice idea of chunking results in 10 blocks of multivalued fields, and I didn't expected rex to behave like that on multivalued fileds, interesting!

I would use "list" instead of "values" to keep the order and maybe even duplicates (depends on your use case).

hettervik · ‎05-16-2020

I've found a workaround to this issue. The limit is 20 table rows, but there seems to be no limit in the number of multivalue fields in a single row. So, instead of say running | stats count by user | fields user, you can use | stats values(user) as users by index | fields users. It's not pretty, but it works.

sahr_m_lebbie · ‎05-14-2020

2020, still facing the same issue. Any help would be appreciated.,2020, Still same issue, unless someone has solved it.

lyc1986830 · ‎12-20-2017

I still hit this issue in splunk 6.6.1. Is this bug fixed in any new version or any plan to fix this?

grundsch · ‎12-07-2015

I've found in etc/system/default/ui-prefs.conf the following:

display.prefs.events.count = 20
display.prefs.statistics.count = 20

but changing it (in etc/system/local/ui-prefs.conf) didn't help...
any other idea? can we override it somewhere?

samarkumar · ‎10-13-2016

I got the same problem, it will be great if any one share the idea to resolve this issue.

Lindaiyu · ‎06-02-2016

I got the same problem, could anyone have solved it?
Thank you

How to override the 20 line limit for the table view of embedded reports?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...