Splunk Search

Search command Top -> Does not return more than 100K results?

lpolo
Motivator

I need to index the all the Top N results of a field.

Search query:

|top limit=0 field| streamstats count as rank 

The result set never exceeds 100K rows. I looked at $Splunk/etc/system/default/limits.conf and This is a the default for top search command:

[top]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 0
maxvaluesize = 0

There is not any configuration in the local limits.conf file to override the default.

Question:
How should I configure my local limits.conf file to have all the result set generated by the search command top limit=0?

Thanks,
Lp

Tags (2)
0 Karma

yannK
Splunk Employee
Splunk Employee

please refer to the specifications for limits.conf
http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Limitsconf
or in your instance in $SPLUNK_HOME/etc/system/README/limits.conf.spec

This one seems to be the parameter you are looking for.

[top]
maxvalues = < integer >
* Maximum number of distinct field vector values to keep track of.
* Defaults to 100000.

0 Karma

yannK
Splunk Employee
Splunk Employee

you are right, I would expect 0 to be interpreted as unlimited.

Or maybe is there another limit for each subsearch/searchcommand that has precedence.

0 Karma

lpolo
Motivator

Yannk,

Thanks for your input. I have maxvalues set to 0 as presented in my question. I assumed that it should not default to 100K. Is this correct?

Thanks,
Lp

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...