Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to increase transaction command output limit and always fetch latest transactions?

gut1kor
Explorer
‎02-16-2023 06:10 AM

Hi Team,

I have events being pushed to HTTP event collector 24/7. In my dashboard I query and format the events using transaction command based on a field traceparent. It's working fine, but the report is only showing 4999 transactions. Is it a limit set on the Splunk server? Where are these limits set and are there any guidelines to increase it without impacting server performance negatively?

I also observed that if by 10AM in a day I got 4999 transactions then the new transactions which came after 10AM are not displayed by the query. I have to change the timer to 'last 60 min', 'last 15 min' etc to get the latest ones. Even if my query hits the top line limit of 4999, how to make sure that those 4999 transactions are the latest (from the time the query is executed) and not the old ones? Like if run the query at 2PM, I want to get those 4999 transactions from 2PM down till 11AM etc. How to achieve that?

Thank you. 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...