Hello.
I'm trying to execute this search:
index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID") by "senderAddress"
After processing I can see really nice pie chart 🙂 But I also recieve this warning:
These results may be truncated. This
visualization is configured to display
a maximum of 1000 results per series,
and that limit has been reached.
And indeed, I can see only approx. 19k events in the chart, but there should be near 25k. At least, query
index = testindex | rex "(<= (?P<senderAddress>.*?) )" | search senderAddress=* | chart dc("messageID")
returns 25194.
Can you explain me why search results are truncated?
Thanks,
Alex.
That limit is there because looking at a pie with 1000 or more slices is fairly pointless.
Have you opened a support case for this? We are trying to get Splunk to remove this limit and more customers behind this will help drive this.
Thanks,
Ken
If you turn this into a dashboard, you can use the charting.data.count option to set a higher limit (even unlimited (0) if you're feeling dangerous.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/ChartConfigurationReference
That limit is there because looking at a pie with 1000 or more slices is fairly pointless.
Well, it looks like I was actually looking for "top" function.)
I've tried the following query:
index = testindex | rex "(<= (?P
and then opened visualization tab. I think that's what I was trying to achieve.
Thank you for your help.)
The count will be correct as long as you're looking at the tabular data (Splunk 6 tab "Statistics"), the pie rendering will discard data points beyond 1000. You can verify this by appending a stats sum(dc-field)
to your by
-search.
Well, as I can see, Splunk just groups all low-count items in one big sector named "other".
http://postimg.org/image/ok8bc1fz5/
As I understand, total count of all events should be the same, no matter whether "by senderAddress" is specified or not.
Where am I wrong?