10/26/2022 0 Comments Splunk stats![]() My list msg for each logstram name lose the biggest message when is bigger of some number of caracters, may be 10 000. I have same problem with a more complexe request. I create this small exemple for try to explain my problem. When I first started learning about the Splunk search commands, I found it challenging to understand the benefits of each command, especially how the BY clause impacts the output of a search. > index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar The stats, chart, and timechart commands are great commands to know (especially stats). All message are different, time is different and all 3 have the same logstream name. If I count of length of each message, I have only two length in the output, The biggest message count are not there. Output of 3 event with different message content and lenght: Thanks for your reply, Sorry im a newbie, I try give you much detail possible. Some stats functions have a limit on the number of results they can return, but that does not appear to apply here. The stats command does not have a character limit. To find them use this search index=_internal sourcetype=splunkd component=linebreakingprocessor message="truncating*" I don't see evidence of event truncation, but if it is happening then there will be messages in splunkd.log saying so. The previous query gets the length (only) of the message field whereas this query gets the length of the entire event. Use stats list(l) to view all lengths rather than just the unique ones. If two message fields have the same length then only two values will be displayed. We don't have enough information to say this is a problem. My question is, Can I change the stats limit in splunk for the max characters ? with which parameter ? and where from the web page ? can be change by non admin and for a specific source ? It for that I can load event with up to 10 000 character. I already change TRUNCATE parameter at 80 000. The event I lose have effectively 28973 character, I thing the actual limit is 10 000. Index="bnc_6261_pr_log_conf" | logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval length=len(_raw) | stats max(length) perc95(length) max(linecount) perc95(linecount) Index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar I see 3 event, and now if I perform this request My problem is I thing Splunk have max character accepted for stats command, ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |