I am sending CSV files to my Splunk machine. These files vary in record count from 1 to 5000. When I search for all of the rows from a particular source with a string like this "source="/data/inbound/Alaska.CSV" it only returns the first 1000 rows when actually there are 1337 rows. This behaviour occurs for each file which has more than 1000 rows. I know this is some sort of config setting. I just can't find the correct one. I have changed maxresultrows to be a value of 10000 but that doesn't seem to make any difference.
We had the same issue and Splunk Support provided us the solution which worked for us. We are using Splunk 5.0.
In limits.conf, change the following line. Default is 1000.
max_events_per_bucket = 1000
We had the same issue and Splunk Support provided us the solution which worked for us. We are using Splunk 5.0.
In limits.conf, change the following line. Default is 1000.
max_events_per_bucket = 1000
Made the change described above then recycled Splunk and it now works like a champ. Thanx!
Could you let us know what is the version of your Splunk instance?
Since you've accepted an answer, was your problem solved? Would you mind sharing what the problem was and how you resolved it?
I am using the 5.0 version
Yes. This is occurring through Splunkweb.
Is this through Splunkweb?
"... | stats count" would produce a nicer-looking result 🙂
Leaving off the "| stats..." only gives you 1000 matching results? That makes no sense.
A quick grep through my local configuration doesn't cough up any setting that limits anything related to the number of events a search can yield to 1000, so I'm stumped.
Yes. I have verified that all of the events have been indexed by using the following commaand "source="/data/inbound/Alaska.CSV" | stats sum(count)"...... this command states that there 1337 matching events
Have you verified that the correct number of events has been indexed, for example by checking the summary page for some sources?
I'm asking these things because a limitation of 1000 events for a plain old search sounds very odd and un-Splunk-ish.
Every row is an event
Is every CSV file one event or is every row in a CSV file one event?