![]() ![]() This existing question, was about the 10,000 row limit in the "postprocess" part of the Search API, that applies when the base search is a non-transformed search (aka a "raw event" search). Well, this is a little confusing, but you're actually talking about two pretty unrelated limits, that just happen to both have 10,000 as the default. btool limits listĬan you suggest a different method than using streamstats? Every event in the 450K+ test case has this counter output. I even verified it using btool to see if was appearing in the config. I ran into the 10K limit of streamstats and it looks like I can't get around it, even though I changed max_stream_window in /Splunk/etc/system/local/nf and restarted Splunk. I'm trying to find instances where this counter messes up and identify the event # where it happens and then timechart it. There is a process counter that starts at event=1 and runs until the end doing i++ basically. I am using streamstats to find anomalies between my events. I almost created my own post but I found this one which is close enough to my question. I ran this test and the table displays "10000". Indeed, I ran some tests and it looks like in 5.0 the truncation happens at 10,000 rows. The official docs give only incomplete explanations and they recommend the peculiar pathof using the si* commands in your base search, which I really do not recommend. I'll admit that I am biased here, but the best and most detailed description of the various pitfalls, and the clearest explanation of the best practice here, is in the latest Sideview Utils app, under "Key Techniques > Using PostProcess > Introduction". I'm not sure what the canonical list of non-streaming transforming commands is, but the real answer is you should be using the stats command somewhere anyway to make the number of rows smaller, so as long as you're doing that, stats will also be your transforming command and there will be no truncation. (it actually looks like in 5.0 the limit is at 10,000, not 50,000 - ) This means that later when you run your postprocess there can be misleading results. The limit you're talking about is the one where, if your base search is just returning raw event rows, Splunk only keeps 50,000 events in the search result. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |