Splunk Dev

Where can I change the 10 million limit count?

slr
Communicator

Hi there!

I have created a panel with a simple count of events that depends on some pickers. All works fine, but when I'm testing this panel and I put all the events (15 million more or less) only shows me 10 million. I was thinking in the limits.conf, and I tried to change some options like...

[stats]
maxresultrows = <integer>
* Maximum number of rows allowed in the process memory.
* When the search process exceeds max_mem_usage_mb and maxresultrows, data is
  spilled out to the disk
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 0 (unlimited).

[concurrency]
max_count = <integer>
* Maximum number of detected concurrencies.
* Defaults to 10000000

... without any change. I'm reading all the option but I belive that any of them refers to this. I'm wrong?

Any help? please

Tags (1)
0 Karma
1 Solution

slr
Communicator

Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!

All of you, thank you.

View solution in original post

0 Karma

slr
Communicator

Ok, my bad. We are testing with the DB connect (lauch a batch, delete index, repeat) and one of the options in batch mode is the max rows to retrieve and guess what? This option is set up to 10 million. I forget to activate the rising column and with all this elements we create "this problem". Solved!

All of you, thank you.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I don't know if it's the same thing but I found a situation in which I had a search Limited to 10000 events, also modifing limits.conf.
The problem was the sort command I used: Using "sort 0 myfield" I solved my problem.
Bye.
Giuseppe

0 Karma

slr
Communicator

Thanks for your quick answer!

I know about the sort limit before and I think that the problem was similar, but I can't find something like that in the stats documentation. My query is really simple:

index=some_index $token1$ $token2$ | stats count

Any other suggestion?

Regards.

0 Karma

inventsekar
Ultra Champion

are you having distributed environment?

limits.conf settings and DISTRIBUTED SEARCH
Unlike most settings which affect searches, limits.conf settings are not
provided by the search head to be used by the search peers. This means
that if you need to alter search-affecting limits in a distributed
environment, typically you will need to modify these settings on the
relevant peers and search head for consistent results.

slr
Communicator

Hi @inventsekar

Isn't the case this time. Is a simple Splunk Enterprise 6.4.1 deployment in a Linux Ubuntu Server 16.04

0 Karma

inventsekar
Ultra Champion

may i know your search query please.. are you running and counting using stats or something like that? as per my knowledge, there is no limit for the number of the search results. but maybe, other configs are limiting it seems.

just i tried on my environment and its returning more than 11million events.
host = "my.hostname.com" | stats count
11,599,613

0 Karma

slr
Communicator

Hi again @inventsekar

My query is really simple:

index=index1 $token$ $token2$ $token3$ $token4$ $token5$ $token6$ | stats count

I get 10 million with every user, everywhere (search box or panel).

This is a fresh install, and we are set up the config when we need it and by now, we didn't touch any config file (unless limits.conf for this case).

Maybe a 6.4.1 limitation?

0 Karma

inventsekar
Ultra Champion

nope. 6.4.1 release notes does not say anything about this.
also pls check the user role permissions. the user roles can have Search restrictions.

0 Karma

slr
Communicator

Ok, I will check the roles but this happen with the admin user, too.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...