Splunk Search

Search returning only 1000 rows

ugillr
Engager

I am sending CSV files to my Splunk machine. These files vary in record count from 1 to 5000. When I search for all of the rows from a particular source with a string like this "source="/data/inbound/Alaska.CSV" it only returns the first 1000 rows when actually there are 1337 rows. This behaviour occurs for each file which has more than 1000 rows. I know this is some sort of config setting. I just can't find the correct one. I have changed maxresultrows to be a value of 10000 but that doesn't seem to make any difference.

Tags (1)
0 Karma
1 Solution

xchang1226
Path Finder

We had the same issue and Splunk Support provided us the solution which worked for us. We are using Splunk 5.0.

In limits.conf, change the following line. Default is 1000.

max_events_per_bucket = 1000

View solution in original post

xchang1226
Path Finder

We had the same issue and Splunk Support provided us the solution which worked for us. We are using Splunk 5.0.

In limits.conf, change the following line. Default is 1000.

max_events_per_bucket = 1000

ugillr
Engager

Made the change described above then recycled Splunk and it now works like a champ. Thanx!

0 Karma

wagnerbianchi
Splunk Employee
Splunk Employee

Could you let us know what is the version of your Splunk instance?

0 Karma

Ayn
Legend

Since you've accepted an answer, was your problem solved? Would you mind sharing what the problem was and how you resolved it?

0 Karma

ugillr
Engager

I am using the 5.0 version

0 Karma

ugillr
Engager

Yes. This is occurring through Splunkweb.

0 Karma

Ayn
Legend

Is this through Splunkweb?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

"... | stats count" would produce a nicer-looking result 🙂

Leaving off the "| stats..." only gives you 1000 matching results? That makes no sense.

A quick grep through my local configuration doesn't cough up any setting that limits anything related to the number of events a search can yield to 1000, so I'm stumped.

0 Karma

ugillr
Engager

Yes. I have verified that all of the events have been indexed by using the following commaand "source="/data/inbound/Alaska.CSV" | stats sum(count)"...... this command states that there 1337 matching events

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Have you verified that the correct number of events has been indexed, for example by checking the summary page for some sources?

I'm asking these things because a limitation of 1000 events for a plain old search sounds very odd and un-Splunk-ish.

0 Karma

ugillr
Engager

Every row is an event

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Is every CSV file one event or is every row in a CSV file one event?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...