I'm trying to add an event view to a dashboard, but Splunk seems to ignore the options set in the XML:
<event>
<searchName>Global AAA - Failed: bad password</searchName>
<title>Mistyped Passwords</title>
<fields>User,NetworkDeviceName</fields>
<count>15</count>
<maxLines>1</maxLines>
</event>
I have also tried other variations like <option name="count">15</option>
and <event count=15>
. Every time I still get about 26 entries.
<option name="count">15</option>
is the format that I have always used, although I assume that the other format works as well, since it is in the manual.
If you simply run the search, do you get about 26 entries?
I think the description in the manual is a bit confusing - Splunk does not limit the results to 15 events, but it should limit the results to 15 per page. Try adding the following
<option name="showPager">true</option>
and see if that changes things. If you really only want 15 events total, edit your saved search, and limit the results by adding
| head 15
for example.
<option name="count">15</option>
is the format that I have always used, although I assume that the other format works as well, since it is in the manual.
If you simply run the search, do you get about 26 entries?
I think the description in the manual is a bit confusing - Splunk does not limit the results to 15 events, but it should limit the results to 15 per page. Try adding the following
<option name="showPager">true</option>
and see if that changes things. If you really only want 15 events total, edit your saved search, and limit the results by adding
| head 15
for example.
unfortunately splunk seemes to ignore the showPager attempt as well, but adding a head limit to the original search did the trick. Thanks.