Search generated too much data...

terryloar · ‎04-23-2012

Has anyone run into this message?

"Search generated too much data for the current display configuration, results have been truncated"

The search is for collecting and grouping latency times (spent).

source="/opt/splunk/var/log/splunk/web_access.log"

| eval dum=case(spent==0, spent)
| eval 0-99(ms)=case(spent>=0 AND spent<=99, spent)
| eval 100-199(ms)=case(spent>=100 AND spent<=199, spent)
| eval 200-299(ms)=case(spent>=200 AND spent<=299, spent)
| eval 300-399(ms)=case(spent>=300 AND spent<=399, spent)
| eval 400-499(ms)=case(spent>=400 AND spent<=499, spent)
| eval over500(ms)=case(spent>=500, spent)
| table spent 0-99(ms) 100-199(ms) 200-299(ms) 300-399(ms) 400-499(ms) over500(ms)

kbecker · ‎09-29-2016

This does increase the value but there is still an upper limit that is hard coded

davidpaper · ‎09-29-2016

Hi,

I 6.x and above, you can alter the max number of data points in a series for a timechart in a dashboard and stay w/in the HTML5 realm and not need to invoke Flash.

< option name="charting.data.count" >9999 </ option >

to get around the 1000 point limitation in timechart.

kbecker · ‎09-29-2016

Have you opened a support ticket with Splunk, we are trying to get them to remove these limits and more customers will help drive this.

uuppuluri_splun · ‎12-19-2013

For simple XML, in 5.0.3.1 and above, you can set the config as below in $SPLUNK_HOME/etc/system/local/web.conf
[settings]
simple_xml_force_flash_charting = true

For Advanced XML, change

layoutPanel="graphArea"> in
etc/apps/search/default/data/ui/views/charting.xml to
FlashChart.

Hope This Helps!

Search generated too much data...

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms