Hi All,
Facing one issue with splunk for an search query records getting limited to 800000.
The SLR001 total count is not getting displayed more than 800000 records but actually its index has more than 900000 records
I tried changing maxresultrows value in limits.conf but its not working.
Also tried append maxout command in query its not giving expected result.
Appreciate any help display more than 800000 records for SLR001.
Query Used:
(index=sumidx_slr006 search_stage=slr006) OR (index=sumidx_slr002 stage=transaction slr=slr002) OR (index=sumidx_slr003 slr=slr003 stage=transaction) OR (index=sumidx_slr004 search_name="sumidx_slr004") |append [search index="sumidx_slr001" search_name="sumidx_slr001" |dedup isoClearSysRef]
| eval SLR_name=case(index="sumidx_slr006","SLR006",search_name="sumidx_slr001_change2","SLR001",index="sumidx_slr002","SLR002",index="sumidx_slr003","SLR003",index="sumidx_slr004","SLR004")
| stats count(eval(SLR_status="Breached")) AS Breached,count(eval(SLR_status="Breached" OR SLR_status="Not Breached")) as Total by SLR_name
Output Below:
SLR_name Breached Total
SLR001 315 800000
SLR002 141 1378539
SLR003 1792 1349458
SLR004 17 231518
SLR006 13 220741
... View more