Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to fix metadata error "5000000 entries have been received...and this search will not return metadata information for anymore entries."?

splunksurekha
Path Finder
‎03-25-2015 04:09 AM

Hi,

I have increased the maxcount value to 5000000, but still I am getting the error: 

"Metadata results may be incomplete: 5000000 entries have been received from all peers (see parameter maxcount under the [metadata] stanza in limits.conf), and this search will not return metadata information for any more entries. (sid=rt_1427108700.117555)"

Please suggest a permanent fix for this issue.

Thanks
Surekha

Tags (2)
0 Karma
Reply

masonmorales
Influencer
‎03-25-2015 06:42 AM

Well, if you need complete metadata results, you need complete metadata results. What happens if you edit your limits.conf and change maxcount from 5000000 to 4294967296? It sounds to me like you just didn't increase the value enough.

0 Karma
Reply

aaronkorn
Splunk Employee
Splunk Employee
‎03-25-2015 05:18 AM

Update this metadata entry in $SPLUNK_HOME/etc/system/local/limits.conf to a higher value.

[metadata]
    maxresultrows = <integer>
     * the maximum number of results in a single chunk fetched by the metadata command
     * a smaller value will require less memory on the search head in setups with
       large number of peers and many metadata results, though, setting this too
       small will decrease the search performance
     * default is 10000
     * do not change unless instructed to do so by Splunk Support
    maxcount = <integer>
     * the total number of metadata search results returned by the search head;
       after the maxcount is reached, any addtional metadata results received from
       the search peers will be ignored (not returned)
     * a larger number incurs additional memory usage on the search head
     * default is 100000
0 Karma
Reply

splunksurekha
Path Finder
‎03-25-2015 05:26 AM

Hi,

So as many times it reaches the maximum value so many times we need to keep increasing the maxcounts value ?

Thanks
surekha

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...