I have a splunk query which returns a list of values for a particular field. The number of values can be far more than 100 but the number of results returned are limited to 100 rows and the warning that I get is this-
'stats' command: limit for values of field 'FieldX' reached. Some values may have been truncated or ignored.
The query in question can be as simple as this -
| stats list(FieldX)
Please note that I can't use table FieldX since I want the results to be grouped based on another field. Also I can't use stats values(FieldX) since I am extracting 2 fields from an event and these fields have one to one mapping, if I use stats values(), the order is messed up.
I tried stats list(values) limit=500 but it isn't helping. How can I have all the results returned?
The only option if you have a hard requirement to use list(values) logic is to increase the value list_maxsize from limits.conf. See the complete limits.conf manual entry here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/limitsconf#.5Bstats.7Csistats.5D
list_maxsize is a system wide configuration so you'll have to:
list_maxsize = <integer>
* Maximum number of list items to emit when using the list() function
stats/sistats
* Default: 100