Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I encountering the error "The maximum window size (10000) was reached" when the Splunk query gets too big?

barlettal
Engager
‎03-12-2018 03:31 AM

Hello All,

I want to count how many sessions are alive from a single IP.

I have a problem with the window size of this splunk query gets to big:

index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m 
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time 
| sort 0 - _time 
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP 
| search COUNT_SESSIONID > 50 
| table _time IP COUNT_SESSIONID

Splunk tell me, that "The maximum window size (10000) was reached.".

What can I do? Is there any way to get the complete output of the SPL Query?

Thank you for your help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

p_gurav
Champion
‎03-12-2018 06:00 AM

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

View solution in original post

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎03-15-2018 01:08 AM

You have too many events in the time_window=30m timeframe for streamstats to handle (default=10'000). Considering your event count of close to 1 billion I would recommend to go for fixed instead of sliding 30 minute windows:

 index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
 | bin _time span=30m 
 | stats dc(SESSIONID) as COUNT_SESSIONID by IP _time 
 | search COUNT_SESSIONID > 50 
 | table _time IP COUNT_SESSIONID

Not exactly what you are looking for, but an approximation, which hopefully is good enough.

Reply
Solved! Jump to solution
Solution

p_gurav
Champion
‎03-12-2018 06:00 AM

Hi,
You can try increasing the admin user's srchDiskQuota from 10000 to 100000. To do this, I created the file /etc/system/local/authorize.conf, and added the stanza:

 [role_admin]
  srchDiskQuota = <integer>

Be careful about increasing this quota for non-admin users, as this can severely hamper performance.Also refer documents:
http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf

0 Karma
Reply
Solved! Jump to solution

usd0872
Path Finder
‎03-14-2018 09:23 AM

The message is not caused by a lack of disk quota, but by the maximum window size used when using the time_window option to the streamstats command. Increasing srchDiskQuota won't help.

0 Karma
Reply
Solved! Jump to solution

barlettal
Engager
‎03-12-2018 04:57 AM

I forgot to say that I have 977'887'114 Events in that app / sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...