Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Receiving strange errors when searching messages by old dates?

metylkinandrey
Communicator
‎11-14-2022 03:42 AM

I get strange errors when searching messages by old dates.

If I put a search for more than two hours, I immediately get the following errors:

2 errors occurred while the search was executing. Therefore, search results might be incomplete.
  • 'stats' command: limit for values of field 'Time' reached. Some values may have been truncated or ignored.
  • 'stats' command: limit for values of field 'messageType' reached. Some values may have been truncated or ignored.

From four days:

4 errors occurred while the search was executing. Therefore, search results might be incomplete. 
  • 'stats' command: limit for values of field 'Time' reached. Some values may have been truncated or ignored.
  • 'stats' command: limit for values of field 'eventTime' reached. Some values may have been truncated or ignored.
  • 'stats' command: limit for values of field 'messageId' reached. Some values may have been truncated or ignored.
  • 'stats' command: limit for values of field 'messageType' reached. Some values may have been truncated or ignored.

One of my requests:

index="external_system" messageType="RABIS-HeartBeat"
| eval timeValue='eventTime'
| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S")
| sort -_time
| eval timeValue='eventTime'
| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S")
| eval Time=strftime(_time,"%Y-%m-%dT%H:%M:%S")
| stats list(Time) as Time list(eventTime) as EventTime list(messageType) as MessageType list(messageId) as Messag11eId by messageType

 

Message example:

curl --location --request POST 'http://mon.pd.dev.sis.org:8088/services/collector/raw' --header 'Authorization: Splunk 02-93-48-9-27' --header 'Content-Type: text/plain' --data-raw '{
"messageType": "HeartBeat",
"eventTime": "2022-11-14T13:34:15",
"messageId": "ED280816-E404-444A-A2D9-FFD2D171F9999"
}'

Can you please tell me how to solve these problems?

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-14-2022 11:26 PM

From limits.conf:

 

[stats]
...
list_maxsize = 100
...

Just note that list is very expensive in terms of RAM.  If you have a lot of events,  list(Time) as Time list(eventTime) as EventTime is practically suicidal.  It is best to avoid such stats.

 

View solution in original post

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎11-22-2022 04:00 AM

All. I'm sorry, I saw that these are the settings:  limits.conf

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎11-14-2022 11:26 PM

From limits.conf:

 

[stats]
...
list_maxsize = 100
...

Just note that list is very expensive in terms of RAM.  If you have a lot of events,  list(Time) as Time list(eventTime) as EventTime is practically suicidal.  It is best to avoid such stats.

 

Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎11-22-2022 03:56 AM

I try like this for example:

| eval src_Msg_Id=if(len('srcMsgId')==0 OR isnull('srcMsgId')," ",'srcMsgId')
| stats list_maxsize = 10000
| stats list(diff) as TIME_DIF list(event_Time) as EventTime list(src_Msg_Id) as srcMsgId_Бизнес_Сообщения list(routepoint_ID) as RoutepointID list(t_i_d) as Tid list(GISGMP_Request) as GISGMPRequestID list(message_Type) as MessageType list(Packet_GIS_GMP_Id) as PacketGISGMPId count as Кол_Сообщений by srcMsgId_Исх_Сообщения

 

But it doesn't help

0 Karma
Reply
Solved! Jump to solution

metylkinandrey
Communicator
‎11-22-2022 03:38 AM

Hello, tell me, where should I add this in the request?
Request example:

index="main"

| eval srcMsgId_Исх_Сообщения=if(len('Correlation_srcMsgId')==0 OR isnull('Correlation_srcMsgId'),'srcMsgId','Correlation_srcMsgId')

| eval timeValue='eventTime'

| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z") | sort -eventTime | streamstats values(time) current=f  window=1 as STERAM_RESULT  global=false by srcMsgId_Исх_Сообщения

| eval diff=STERAM_RESULT-time

| stats list(diff)  as TIME_DIF list(eventTime) as eventTime list(srcMsgId) as srcMsgId_Бизнес_Сообщения list(routepointID) as routepointID count as  Кол_Сообщений by srcMsgId_Исх_Сообщения

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...