While you are doing requests in Splunk, especially for dashboards, you will try to optimize it and reuse as much as possible.

But, if you are doing this, be sure that the common request doesn't contains a sort operator if you don't need to. Because the usage of the sort operator will automatically limit you at the first 10K rows for your search.

So if you want to generate a dashboard showing :

• the number of calls
• the timechart
• ...
• and the last logs be sure that you only have the sort on the subrequest that show the logs.

Otherwise you will see only 10k in the number of calls and a hole in your timechart.

I hope it will help you! 🍺