Getting Data In

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal
Engager

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

0 Karma
1 Solution

p_gurav
Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma

usd0872
Path Finder

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.

p_gurav
Champion

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

0 Karma

usd0872
Path Finder

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

0 Karma

barlettal
Engager

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...