Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Event visualization limit

lostpassword
Explorer
‎11-25-2013 03:38 AM

Hello.

I'm trying to execute this search:

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"

After processing I can see really nice pie chart 🙂 But I also recieve this warning:

These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.

And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query 

index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")

returns 25194.

Can you explain me why search results are truncated?
Thanks,

Alex.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

View solution in original post

Reply
Solved! Jump to solution

kbecker
Communicator
‎09-29-2016 08:13 AM

Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.

Thanks,
Ken

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎01-29-2016 06:43 AM

If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 03:53 AM

That limit is there because looking at a pie with 1000 or more slices is fairly pointless.

Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-26-2013 03:01 AM

Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P.?) )" | search senderAddress= | top 9 senderAddress useother=t
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-25-2013 05:23 AM

The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field) to your by-search.

0 Karma
Reply
Solved! Jump to solution

lostpassword
Explorer
‎11-25-2013 04:11 AM

Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...