If the data comes in via port 9997 then it does not have the same limit, but will be truncated at 10,000 bytes. If it comes in via HEC then the limit is 1 million bytes (not characters) and cannot be changed. You are likely running a join or something similar. The truncation can be set for the sourcetype via the TRUNCATE attribute in props. 1) in nf for the app that your search belongs to, under the stanza for your. This default limit will actually be removed in most cases in the next maintenance release (4.1.2). If the data comes in via port 9997 then it does not have the same limit, but will be truncated at 10,000 bytes. Theres by default a limit of 10,000 events that will get summary indexed from each run of a scheduled search. If it comes in via HEC then the limit is 1 million bytes (not characters) and cannot be changed. Latest query: dedup user_id | eval duration = round(duration,2) | eval duration=tostring(duration,"duration") | sort group,user_id | where bytes_in >0 |stats list("user_id") as User,list("dest_domain") as Application,list("bytes_in") as Bandwidth_used, list("duration") as Time by groupġ9 08:46:33.559 -0700 WARN StatsProcessor - Specified field(s) missing from results: 'duration'Ġ5-08-2019 08:46:33.890 -0700 WARN StatsProcessor - 'stats' command: limit for values of field 'user_id' reached. 2 Answers Sorted by: 2 It depends on how the data is sent to Splunk. My report is giving around 30000 results. It depends on how the data is sent to Splunk. I have removed pipe but still see errror and not able to see last column duration value
0 kommentar(er)
