Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to avoid this error "WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored."

su_kumar
New Member
‎05-02-2019 10:45 AM

Hi,

I am using the stats command with the list() function. , i am getting below error.

Error :
'stats' command: limit for values of field 'xxx' reached. Some values may have been truncated or ignored.

WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored.
ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web_Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.

i have configured limit.conf
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000
Unfortunately , after setting in limit.conf , unable to fix this issue.
anyone help me on this issue

0 Karma
Reply

koshyk
Super Champion
‎05-08-2019 03:43 AM

can you please try changing your query to

| stats sum(bytes_in) as Total_Bandwidth_User_group dc(user_id) as Total_No_User  by user_id, group
| eventstats sum(Total_Bandwidth_User_group) as Total_Bandwidth by group 
| rename group AS "AD Group"
0 Karma
Reply

DavidHourani
Super Champion
‎05-03-2019 12:03 AM

Hi there,

Try this :

[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

From here :
https://answers.splunk.com/answers/132521/stats-command-limit-for-values-of-field-xxx-reached-some-v...

Seems like they have the same issue.

Cheers,
David

0 Karma
Reply

su_kumar
New Member
‎05-04-2019 08:37 AM

Hi ,
below solution is not working :
[stats]
list_maxsize = 10000
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 10000

0 Karma
Reply

DavidHourani
Super Champion
‎05-04-2019 08:39 AM

Oh, if this is your query then you need to remove the pipe from in front of dedup and instead go for values function not the list function 😄 

 |stats values("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
0 Karma
Reply

DavidHourani
Super Champion
‎05-08-2019 02:49 AM

@su_kumar did this work for you using values instead of list?

0 Karma
Reply

DavidHourani
Super Champion
‎05-08-2019 06:59 AM

Replace with the new query I posted here :

|stats values("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
0 Karma
Reply

su_kumar
New Member
‎05-08-2019 02:38 AM

I have removed pipe but still see errror and not able to see last column duration value

latest query:

dedup user_id | eval duration = round(duration,2) | eval duration=tostring(duration,"duration") | sort group,user_id | where bytes_in >0 |stats list("user_id") as User,list("dest_domain") as Application,list("bytes_in") as Bandwidth_used, list("duration") as Time by group
| rename group AS "AD Group"
</query>

warning :
19 08:46:33.559 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:33.890 -0700 WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. Some values may have been truncated or ignored.
05-08-2019 08:46:34.153 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'
05-08-2019 08:46:36.159 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently.
05-08-2019 08:46:36.182 -0700 WARN DispatchManager - The instance is approaching the maximum number of historical searches that can be run concurrently

0 Karma
Reply

koshyk
Super Champion
‎05-02-2019 11:30 PM

can u please put your SPL which has stats function?
I don't think it is a limits.conf issue as there might be improvement scope in the SPL

0 Karma
Reply

su_kumar
New Member
‎05-04-2019 08:33 AM 
<query> 
|dedup user_id  |stats list("user_id") as User dc(user_id) as Total_No_User sum(bytes_in)  as Total_Bandwidth by  group | eventstats sum(bytes_in) as Total_Bandwidth by group | rename group AS "AD Group"
</query>
    </search>
0 Karma
Reply

codebuilder
Influencer
‎05-03-2019 09:01 AM

You have an errant pipe in your search between main and dedup:

ERROR SearchParser - Missing a search command before '|'. Error at position '2086' of search query '| tstats count AS count sum(Web_Access_Event.bytes...{snipped} {errorcontext = main | |dedup user}'.
----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

codebuilder
Influencer
‎05-02-2019 11:52 AM

Did you cycle Splunk after modifying limits.conf?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

su_kumar
New Member
‎05-02-2019 08:50 PM

if you talking about after modify limits.conf , need to restart limilts.conf so after modify limits.conf , i had restarted splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...