![]() ![]() I have same problem with a more complexe request. I create this small exemple for try to explain my problem. > index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar All message are different, time is different and all 3 have the same logstream name. If I count of length of each message, I have only two length in the output, The biggest message count are not there. Output of 3 event with different message content and lenght: Thanks for your reply, Sorry im a newbie, I try give you much detail possible. Some stats functions have a limit on the number of results they can return, but that does not appear to apply here. The stats command does not have a character limit. To find them use this search index=_internal sourcetype=splunkd component=linebreakingprocessor message="truncating*" ![]() I don't see evidence of event truncation, but if it is happening then there will be messages in splunkd.log saying so. The previous query gets the length (only) of the message field whereas this query gets the length of the entire event. Use stats list(l) to view all lengths rather than just the unique ones. If two message fields have the same length then only two values will be displayed. We don't have enough information to say this is a problem. My question is, Can I change the stats limit in splunk for the max characters ? with which parameter ? and where from the web page ? can be change by non admin and for a specific source ? It for that I can load event with up to 10 000 character. I already change TRUNCATE parameter at 80 000. The event I lose have effectively 28973 character, I thing the actual limit is 10 000. Index="bnc_6261_pr_log_conf" | logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval length=len(_raw) | stats max(length) perc95(length) max(linecount) perc95(linecount) Index="bnc_6261_pr_log_conf" logStreamName="*b6b3-f8d14815eaf8/i-09bfc06d1ff10cb79/config_Ec2_CECIO_Linux/stdout" | eval l = len(message) | stats values(l) as NumberOfCar I see 3 event, and now if I perform this request My problem is I thing Splunk have max character accepted for stats command, ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |