Splunk Search

Why do I receive "Limit (50000 results) reached." Warning message ?

Masa
Splunk Employee
Splunk Employee

When I was searchng with the following query for one day,

 sourcetype=web_access | chart count by sourceIP

There wass the following message in the banner below the Search bar;

 Limit (50000 results) reached. Some fields may have been ignored.

And I noticed the result never went over 50,000. How can I increase the limit?

Tags (2)
1 Solution

Masa
Splunk Employee
Splunk Employee

This means that you hit the number of the row with the limit, 50,000, in "chart" command. There were more than 50,000 different source IPs for the day in the search result.

The chart command's limit can be changed by [stats] stanza.
So, you can increase the number by [stats] stanza in limits.conf.

[stats]
maxresultrows = 100000

maxresultrows
   * Maximum number of result rows to create.
   * If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

View solution in original post

the_wolverine
Champion

The default value of 50000 can be modified by editing the [searchresults] stanza in limits.conf:

[searchresults]
maxresultrows = 100000

Masa
Splunk Employee
Splunk Employee

Depending on the search command, you might reached the max limit of stats, top, or join. You can changed these limits in limits.conf.

Also, you might find the limit of searchreesutls is still 50k by checking the search in audit.log or search.log in the dispatch directory.

0 Karma

Masa
Splunk Employee
Splunk Employee

This means that you hit the number of the row with the limit, 50,000, in "chart" command. There were more than 50,000 different source IPs for the day in the search result.

The chart command's limit can be changed by [stats] stanza.
So, you can increase the number by [stats] stanza in limits.conf.

[stats]
maxresultrows = 100000

maxresultrows
   * Maximum number of result rows to create.
   * If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

Masa
Splunk Employee
Splunk Employee

Thanks, the_wolverine 🙂

0 Karma

jkat54
SplunkTrust
SplunkTrust

Be warned though, increasing the limit can cause instability in user's browsers. I once bluescreened a workstation due to OOM issues when tweaking this setting.

0 Karma

the_wolverine
Champion

setting maxresultrows under [stats] did not work for our environment. As you know we have a high count of events. As I posted below, it required setting this under [searchresults].

0 Karma

dhsetty
Explorer

Changes made in limits.conf:

Path of the file: /data/third_party/splunk/etc/system/local

Under [searchresults], maxresultsrow

changes the value from 50000 to 500000.

But still see, only 50000 results for any Query to Splunk, though there are 5600000 Events existing in the database.

For the information:

vm30esa0072:rtestuser 116] /data/third_party/splunk/bin/splunk dispatch "* starttime=04/11/2017:00:00:00 endtime=04/12/2017:23:59:00 | stats count" -auth admin:changeme

count

1686815

==> Totally there are 16 Lakhs around Events/Results in the Splunk DB. But get only 50K Results...!!


limits.conf file snippet:

Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 3.0

DO NOT EDIT THIS FILE!

Please make all changes to files in $SPLUNK_HOME/etc/system/local.

To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default

into ../local and edit there.

This file configures various limits to the Splunk's search commands.

CAUTION: Do not alter the settings in limits.conf unless you know what you are doing.

Improperly configured limits may result in splunkd crashes and/or memory overuse.

[searchresults]
maxresultrows = 5000000

maximum number of times to try in the atomic write operation (1 = no retries)

tocsv_maxretry = 5

retry period is 1/2 second (500 milliseconds)

tocsv_retryperiod_ms = 500

0 Karma

dhsetty
Explorer

Need the help in getting all the 56 Lakhs around events in the Splunk DB, when we Query the Splunk.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...