Hello All,
I want to count how many sessions are alive from a single IP.
I have a problem with the window size of this splunk query gets to big:
index="XXX" sourcetype="XXX" NOT IP="xxx.xxx.xxx.xxx" NOT IP="xxx.xxx.xxx.xxx"
| bin _time span=5m
| stats values(SESSIONID) as SESSIONID_MINUTE by IP _time
| sort 0 - _time
| streamstats time_window=30m dc(SESSIONID_MINUTE) as COUNT_SESSIONID by IP
| search COUNT_SESSIONID > 50
| table _time IP COUNT_SESSIONID
Splunk tell me, that "The maximum window size (10000) was reached.".
What can I do? Is there any way to get the complete output of the SPL Query?
Thank you for your help!
... View more