While you are doing requests in Splunk, especially for dashboards, you will try to optimize it and reuse as much as possible.
But, if you are doing this, be sure that the common request doesn't contains a sort operator if you don't need to. Because the usage of the sort operator will automatically limit you at the first 10K rows for your search.
So if you want to generate a dashboard showing :
- the number of calls
- the timechart
- ...
- and the last logs be sure that you only have the sort on the subrequest that show the logs.
Otherwise you will see only 10k in the number of calls and a hole in your timechart.
I hope it will help you! 🍺
You want to support me?
Top comments (1)
You can override the 10k limit on sorted results:
Using 0 will override the 10k limit. Any other positive integer will limit the results to that number of results.