Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a limit on the number of events returned from the transaction?

nfieglein
Path Finder
‎11-11-2014 09:44 AM

I run this command:

index=dccmtdit sourcetype=DCCMT_Log4J_JSON | transaction DpsNum maxevents=-1

It returns: 4,999 events (before 11/11/14 11:34:05.000 AM)

I would expect the number of events returned to be the same as the distinct count of events returned by the following command:

index=dccmtdit sourcetype=DCCMT_Log4J_JSON | stats dc(DpsNum)

However, the number of events returned from the second command is:

dc(DpsNum)
45733

Is there a limit somewhere which prevents me from having all of the events in the transaction? I have various messages coming in which update the status of the event and it is possible that these messages may come in out of order.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nfieglein
Path Finder
‎11-11-2014 11:41 AM

It is actually a limit of the number of open transaction handles. The parameters (also in limits.conf) is maxopentxn. Playing with this variables, though, seems to have crashed my splunkd. I think I am going to have to seek an alternative to transactions for what I want to do. I really just want to combine events which have the same ID, so maybe dedup will allow me to do that.

View solution in original post

Reply
Solved! Jump to solution

kace
Engager
‎01-28-2015 01:27 PM

I ran into this. Try adding the "keepevicted" (boolean) option to the transaction command. In your example simply :
... | transaction DpsNum maxevents=-1 keepevicted
That got me from ~5000 to ~35000.

Reply
Solved! Jump to solution
Solution

nfieglein
Path Finder
‎11-11-2014 11:41 AM

It is actually a limit of the number of open transaction handles. The parameters (also in limits.conf) is maxopentxn. Playing with this variables, though, seems to have crashed my splunkd. I think I am going to have to seek an alternative to transactions for what I want to do. I really just want to combine events which have the same ID, so maybe dedup will allow me to do that.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...