Hi,
It looks like a table view of an embedded report is limited to the first 20 results.
I couldn't find any place where to change this limit. Changing the view before embedding didn't help either...
Can you point me in the right direction?
Thanks,
Steph
@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.
Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )
index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter
@grundschFor the sake of the community, because this was never answered, here's a WORKAROUND.
Below is a run-anywhere example to show how to work around the 20 results limit for an embedded report. It's not intuitive. Run it one line at a time and get an understanding of it. The formatting with this approach is less than perfect, but if you can deal with it, this is a valid workaround. (solution graciously provided by @dmarling )
index=_internal sourcetype=splunkd_access user!="splunk-system-user" user!="-"
| head 30
| streamstats count as counter
| eval counter=counter-1
| bin counter span=10
| eval clowncar=user."~".method."~".clientip."~".bytes
| stats values(clowncar) as clowncar by counter
| rex field=clowncar "(?<user>[^~]*)~(?<method>[^~]*)~(?<clientip>[^~]*)~(?<bytes>[^~]*)"
| fields - clowncar counter
Nice idea of chunking results in 10 blocks of multivalued fields, and I didn't expected rex to behave like that on multivalued fileds, interesting!
I would use "list" instead of "values" to keep the order and maybe even duplicates (depends on your use case).
I've found a workaround to this issue. The limit is 20 table rows, but there seems to be no limit in the number of multivalue fields in a single row. So, instead of say running | stats count by user | fields user
, you can use | stats values(user) as users by index | fields users
. It's not pretty, but it works.
2020, still facing the same issue. Any help would be appreciated.,2020, Still same issue, unless someone has solved it.
I still hit this issue in splunk 6.6.1. Is this bug fixed in any new version or any plan to fix this?
I've found in etc/system/default/ui-prefs.conf the following:
display.prefs.events.count = 20
display.prefs.statistics.count = 20
but changing it (in etc/system/local/ui-prefs.conf) didn't help...
any other idea? can we override it somewhere?
I got the same problem, it will be great if any one share the idea to resolve this issue.
I got the same problem, could anyone have solved it?
Thank you