Dashboards & Visualizations

Event visualization limit

lostpassword
Explorer

Hello.

I'm trying to execute this search:

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"

After processing I can see really nice pie chart 🙂 But I also recieve this warning:

These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.

And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")

returns 25194.

Can you explain me why search results are truncated?
Thanks,

Alex.

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

View solution in original post

kbecker
Communicator

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma

sloshburch
Splunk Employee
Splunk Employee

If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

lostpassword
Explorer

Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P.?) )" | search senderAddress= | top 9 senderAddress useother=t
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field) to your by-search.

0 Karma

lostpassword
Explorer

Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...