Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

metadata search is restricted to 10000 results

the_wolverine
Champion
‎08-13-2010 05:57 PM

I'm trying to run a metadata search on type=hosts and am being capped in the UI to 10,000 results. I've already increased the limits.conf setting per the following answers post:

http://answers.splunk.com/questions/3197/metadata-typesources-maxes-out-at-10000-limits-conf-setting

How can I get Splunk to return a complete listing?

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-13-2010 06:07 PM

What version of Splunk are you running? Please provide a diag file with your answer.

The setting described works in 4.1.x, but not in 4.0.x.

Update:

Seems this setting doesn't work as described in 4.1.3. I have a 4.1.3 search head, and five 4.1.3 indexers. All of them have the default setting in limits.conf, which is 100,000 (not 10,000):

[metadata]
# the most metadata results to fetch from each indexer.
maxcount = 100000

However, running 

| metadata type=sources

limits me to 10,000 results, and

| metadata type=sources | stats count

gives me 10,000.

You can keep your diag.

View solution in original post

Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-13-2010 11:59 PM

limits.conf isn't propagated from the search head, so you should set on all servers.

Reply
Solved! Jump to solution

the_wolverine
Champion
‎08-13-2010 07:04 PM

Hmm, so I had updated the limits.conf setting on the search head. Does this change need to occur at the indexers themselves?

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-13-2010 06:07 PM

What version of Splunk are you running? Please provide a diag file with your answer.

The setting described works in 4.1.x, but not in 4.0.x.

Update:

Seems this setting doesn't work as described in 4.1.3. I have a 4.1.3 search head, and five 4.1.3 indexers. All of them have the default setting in limits.conf, which is 100,000 (not 10,000):

[metadata]
# the most metadata results to fetch from each indexer.
maxcount = 100000

However, running 

| metadata type=sources

limits me to 10,000 results, and

| metadata type=sources | stats count

gives me 10,000.

You can keep your diag.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-16-2010 01:05 AM

All of your diags are unreadable. Please resubmit all of them. Thank you.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎08-13-2010 07:03 PM

I'm using version 4.1.2 and it isn't working. There was a diag submitted with one of my recent cases. Please look at all my cases and let me know if you don't see it. kthxbai.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...