This content originally appeared on DEV Community and was authored by Maxime Guilbert
While you are doing requests in Splunk, especially for dashboards, you will try to optimize it and reuse as much as possible.
But, if you are doing this, be sure that the common request doesn't contains a sort operator if you don't need to. Because the usage of the sort operator will automatically limit you at the first 10K rows for your search.
So if you want to generate a dashboard showing :
- the number of calls
- the timechart
- ...
- and the last logs be sure that you only have the sort on the subrequest that show the logs.
Otherwise you will see only 10k in the number of calls and a hole in your timechart.
I hope it will help you! 
This content originally appeared on DEV Community and was authored by Maxime Guilbert
Maxime Guilbert | Sciencx (2022-02-22T12:40:34+00:00) Splunk – 10K rows limit. Retrieved from https://www.scien.cx/2022/02/22/splunk-10k-rows-limit/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.
