Splunk Search

chart command has reached the limit for data points

cramasta
Builder

Does anyone know if this is something that can be adjusted in the limits.conf file?
[subsearch]: chart command has reached the limit for data points. Results may be incomplete

Tags (2)
0 Karma

cramasta
Builder

I am using the following search over 30 days. I believe it may have something to do with using the OVER function in the chart command.

...| chart values(cpiduration) AS WebCallPerformance values(Status) AS WebCallStatus over RequestID by webservice

what setting in the limits.conf do you think i can adjust to fix this?

0 Karma

nekb1958
Path Finder

Was there any answer from support, i got the same error (without a subsearch) and want to fix it. Thank you.

0 Karma

araitz
Splunk Employee
Splunk Employee

Was there an answer?

0 Karma

tzhmaba2
Path Finder

Could you post the answer from the support here?
Thanks!

0 Karma

cramasta
Builder

Im going to open a support case to find out what limitations of the chart command are causing this warning

0 Karma

sowings
Splunk Employee
Splunk Employee

I don't see anything in limits.conf that specifically says "I'm the limit for chart". Instead, I might rephrase the question as "what problem are you trying to solve?"

I wonder whether the "over RequestID" as the "split by" clause combined with the "by webservice" phrase are producing a matrix that is too large for chart to handle comfortably.

Simply put, adjusting limits.conf may not be the answer.

0 Karma

cramasta
Builder

So initially i was running this chart command in a sub-search. If I run it by itself as a single search I still get the same error without the sub-search piece being mentioned. I'm thinking there may be a different setting that would have to be adjusted specifically for the chart command (if its even something that can be changed).

chart command has reached the limit for data points. Results may be incomplete.

0 Karma

sowings
Splunk Employee
Splunk Employee

Yes, that's the one. The default in 4.3.1 is 10,000, not 100 as indicated in limits.conf.spec.

0 Karma

cramasta
Builder

what setting would you be referring to? maxout?

0 Karma

sowings
Splunk Employee
Splunk Employee

The limits.conf stanza in question is [subsearch], but remember to create this setting in a "local" version of limits.conf, as changes to the version in the default directory may be overwritten at upgrade time.

0 Karma

sowings
Splunk Employee
Splunk Employee

Yes, you can change the subsearch limit in limits.conf, but I've only rarely found a need to do so. It may not be necessary, depending upon what you're trying to do. Can you provide an example of what you're trying to do?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...