![]() ![]() If you have command line access on a Linux server you can run btool debug (your path for splunk may vary) to list out the merged configuration splunk is using for outputs. ![]() In the nf for your Splunk instances you'll see something like the following (often port 9997) server=, subsearch: Subsearch produced 12632 results, truncating to maxout 10000. index rawinternetcartonista programa ILCL search index rawinternetcartonista programa WNHC tipo E fields codigoAcesso stats count by info10. 1 Solution Solution vnravikumar Champion 03-20-2019 08:14 AM Hi Are you using sort command It defaults results to 10K, but you can unlimit it by using sort 0. I dont know why its giving less number of results. The total is calculated by using the values in the specified field for every event that has been processed, up to the current event. I suppose you could also install in both locations (Heavy Forwarder and Indexer) if that's simpler for you. How to increase the subsearch limit 05-10-2016 09:12 AM. Hi, When i run a search i was able to see only 100000 results but actually it as like 170000 results. ![]() Universal Forwarder -> Heavy Forwarder(nf here) -> Indexers stats listmaxsize 10000 maxresultrows 50000 maxvalues 10000 maxvaluesize 10000. Is there a setting in nf or anywhere else where I can increase this limit Using values() instead of list() will not work for me, as. Universal Forwarder -> Indexers (nf here) Unfortunately, for some groupings the list size exceeds Splunks limit. Per the Splunk documentation: Description: Calculate aggregate statistics over the dataset, similar to SQL aggregation. (If you’re cool with stats, scroll on down to eventstats or streamstats.) As the name implies, stats is for statistics. Typically, you'll need to have these line breaking rules configured on the first touch point of a full Splunk instance, whether that's a heavy forwarder or indexer. In an effort to keep it simple, I’ll limit the data of interest to five (5) events with the head command. Hi, you can look at nf on each instance to see where it's routing to. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |