Reputation: 581
Splunk limits the results returned by stats list() function
I have a splunk query which returns a list of values for a particular field. The number of values can be far more than 100 but the number of results returned are limited to 100 rows and the warning that I get is this-
'stats' command: limit for values of field 'FieldX' reached. Some values may have been truncated or ignored.
The query in question can be as simple as this -
| stats list(FieldX)
Please note that I can't use table FieldX since I want the results to be grouped based on another field. Also I can't use stats values(FieldX) since I am extracting 2 fields from an event and these fields have one to one mapping, if I use stats values(), the order is messed up.
I tried stats list(values) limit=500 but it isn't helping. How can I have all the results returned?
Upvotes: 2
Views: 9239
Answers (4)
Reputation: 1
What you could also do in your sub search is:
| table FieldX | mvcombine FieldX
That way, you actually create a stats list(FieldX), without using stats.
Upvotes: 0
Reputation: 33463
Check my answer to your other, related question
Quoting the search from it:
index=ndx sourcetype=srctp Location=* Client=* TransactionNumber=* TransactionTime=*
| eval TNTT=TransactionNumber+" sep "+TransactionTime
| stats values(TNTT) as TNTT by Location Client
| rex field=TNTT "(?<TransactionNumber>\S+) sep (?<TransactionTime>.+)"
| table Location Client TransactionNumber TransactionTime
Note: you may need to reorder the eval line with which fields are added when for sorting via values() in the |stats line (and reorder the corresponding rex order, too)
Upvotes: 1
Reputation: 618
The only option if you have a hard requirement to use list(values) logic is to increase the value list_maxsize from limits.conf. See the complete limits.conf manual entry here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D
list_maxsize is a system wide configuration so you'll have to:
- establish a console connection to the Splunk instance
- edit the limits.conf changing list_maxsize = 500
- restart splunk process
list_maxsize = <integer>
* Maximum number of list items to emit when using the list() function
stats/sistats
* Default: 100
Upvotes: 4
Reputation: 9976
You can try setting the list_maxsize attribute in limits.conf to a higher value. Be warned that this will cause the query to use more memory. Remember to restart Splunk after changing the config file.
Upvotes: 1
Related Questions
- Splunk Query to find greater than
- Splunk Summary Indexes - why does sistats not work like stats?
- 100 result limit from Splunk API call
- stats latest not showing any value for field
- Splunk: Unable to get the correct min and max values
- Splunk doesnt return all the results - using rest API -
- How do I evade the limit of 100 entries in python splunk query
- Splunk returns some queries much faster than others
- Splunk query to filter results
- splunk 4.3.3 indexer filtering issue