Splunk Search

Why is the Splunk eval command in my search returning a limited number of results (10,000)?

priyankshah
New Member

I am writing a search where I am subtracting values of 2 fields and inserting into a new field using the eval command. The result always contains up to 10,000 records, even though there are more events for the search. Can some one help me understand why is it so and is there any way to change that?

When I try the same search without the eval command, it returns the actual number of events for the search.

Need urgent help with the question. Any help would be highly appreciated. Thanks!

Tags (3)
0 Karma

acharlieh
Influencer

The issue is not the eval command but rather the sort that is imposing a 10,000 result limit. If instead of:

... | sort - Difference | ...

You did:

... | sort 0 - Difference | ...

All results should be returned. (At the cost of more resource usage during the search of course).

jeffland
SplunkTrust
SplunkTrust

Can you post your search? There has to be something else in that search causing this, a subsearch for example.

0 Karma

priyankshah
New Member

Here's my search query -

index=*txn* prefetch.go | rex "eprov_rcae3=[\d]+:(?\d*)" | rex "findNgenOMOffers=[\d]+:(?\d*)"  | eval Difference=OMResponseTime-RCAEResponseTime | sort -Difference | table GSID, RCAEResponseTime, OMResponseTime, Difference
0 Karma

jeffland
SplunkTrust
SplunkTrust

Please mark your search as code, otherwise the markup will screw up special characters.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...