Splunk Search limits results to 1000 events only

uayub · ‎09-19-2014

The following Search command:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

results to only 1000 events. A bang displays the following message:

"Currently displaying the most recent 1000 events in the selected range. Select a narrower range or zoom in to see more events"

Objective: to see all events in the last 24 hours .

Thanks

UA

chimell · ‎03-16-2015

I think that this search code will help 
 error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h

jacobwilkins · ‎10-15-2014

At the end of your search add this:

| table *

This will cause splunk to return "results" instead of "events", and the restriction will be removed.

You can use a more specific table, or any aggregating command to get the same result.,This has to do with the difference between "events" and "results." For performance, splunk will only pull the first 1000 events back to the SH, but this restriction does not apply to results.

karan1337 · ‎07-03-2015

Thank you. This post helped me solve a long overdue problem. Points awarded!

somesoni2 · ‎09-19-2014

and you're seeing the result in Events tab or Visualization tab? What do you want to do with the data returned?

uayub · ‎09-19-2014

in the Events tab. I normally would like to see all errors for the last 24 hours. I browse through these to see if anything critical has occurred.

somesoni2 · ‎09-19-2014

What was the time range selected in the timerange picker. Meanwhile, try this

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h

uayub · ‎09-19-2014

The time range was past 24 hours

uayub · ‎09-19-2014

Same error was observed. I am sure there might be a limit set up in one of the config files.

Splunk Search limits results to 1000 events only

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life