Splunk Search

Search Query returns only 50000 Events/Results List totally though total Events/Results are almost 56Lakh Events.

dhsetty
Explorer

Hi Splunk Users,

Observing an Issue while I try to Query the Splunk for
Search Query returns only 50000 Events/Results List totally though total Events/Results are almost 56Lakh Events.

Please, help in resolving this issue is much needed.

Let me know what settings do I need to make in any of the Splunk configuration files.

Thanks & Regards,
Dharmendra Setty

Tags (4)
0 Karma

lguinn2
Legend

You set the maxresultrows to 5 million, when Splunk specifies that it cannot be more than 50 thousand. From the documentation:

* This limit should not exceed 50000. Setting this limit higher than 50000
  causes instability.
* Defaults to 50000.

It is a wonder that your Splunk did not simply crash. What are you trying to do where over 50K of raw events will be useful? That is many more events that anyone could possibly examine. If you categorize your data, Splunk will be able to produce up to 50K rows of results, which could summarize your "lakh" events. Splunk can search all those events, but it cannot return that many results to the browser!!

0 Karma

dhsetty
Explorer

Thanks for sharing the limitation on Splunk end.

My requirement is:
1. Triggering a Search Query, to get the mails between start time:: '04/11/2017:12:30:00',
end time::'04/12/2017:09:59:00'. Current my Splunk DB is having 30000 Mails in it.
NOTE: Every mail has between 12 to 40 Events in it. So on an average it will be like 26 Events in each mail.
So it will be 7,80,000 Events.

To address this requirement I queried for all data between these durations, where I ended up in getting only 50 Events totally from the Query Response.

Any other idea to overcome this limitation & still get all the 7,80,000 Events?

Thanks,

0 Karma

dhsetty
Explorer

I tried below for lessers Mails, say which comes to around 16Lakhs Events/Results: [BUT NO LUCK...!!]

vm30esa0072:rtestuser 116] /data/third_party/splunk/bin/splunk dispatch "* starttime=04/11/2017:00:00:00 endtime=04/12/2017:23:59:00 | stats count" -auth admin:changeme
count

1686815

==> Totally there are 16 Lakhs around Events/Results in the Splunk DB. But get only 50K Results...!!
limits.conf file snippet:

Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 3.0

DO NOT EDIT THIS FILE!

Please make all changes to files in $SPLUNK_HOME/etc/system/local.

To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default

into ../local and edit there.

This file configures various limits to the Splunk's search commands.

CAUTION: Do not alter the settings in limits.conf unless you know what you are doing.

Improperly configured limits may result in splunkd crashes and/or memory overuse.

[searchresults]
maxresultrows = 5000000

maximum number of times to try in the atomic write operation (1 = no retries)

tocsv_maxretry = 5

retry period is 1/2 second (500 milliseconds)

tocsv_retryperiod_ms = 500

Thanks & Regards,
Dharmendra Setty

0 Karma

yannK
Splunk Employee
Splunk Employee

Many search commands have limit, not just searchresults.

What is your search ?

0 Karma

dhsetty
Explorer

Thanks for sharing the limitation on Splunk end.

My requirement is:
1. Triggering a Search Query, to get the mails between start time:: '04/11/2017:12:30:00',
end time::'04/12/2017:09:59:00'. Current my Splunk DB is having 30000 Mails in it.
NOTE: Every mail has between 12 to 40 Events in it. So on an average it will be like 26 Events in each mail.
So it will be 7,80,000 Events.

To address this requirement I queried for all data between these durations, where I ended up in getting only 50 Events totally from the Query Response.

Any other idea to overcome this limitation & still get all the 7,80,000 Events?

Thanks,

0 Karma

pradeepkumarg
Influencer

What is your search? Most likely you are hitting a limit. In which case job inspector will give you the reason what is limiting your result set.

0 Karma

dhsetty
Explorer

Hi Pradeep,

How to use the job inspector to check the limiting of results to only 50000?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...