topic Re: savedsearch command only returns maximum 10000 results? in Reporting

savedsearch command only returns maximum 10000 results?

cycheng — Fri, 05 Jul 2013 08:43:55 GMT

I have a saved search which will return about 80000++ results. I tried the below command in Search bar, it returns correct total of results.

| savedsearch "get_complete_dataset"

Then I use it in my view:

module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    param name="search">| savedsearch "get_complete_dataset"/param>

    module name="HTML">
      param name="html">
      sid=$results.sid$<br>
      ]]></param>
    /module>
  /module>

About view return sid="1373012981.47". Then I run below command in Search bar:
| loadjob "1373012981.47"

I'm suprise as the job only returns 10000 results. Why is this happened? What can I do so that the search can return correct result?

Re: savedsearch command only returns maximum 10000 results?

eashwar — Mon, 28 Sep 2020 14:15:53 GMT

hello brother,

create a limits.conf in

$SPLUNK_HOME/etc/system/local/

or

$SPLUNK_HOME/etc/apps//local/

create a limits.conf with the below stanza. max is 50000

[searchresults]

maxresultrows = 50000

yours,

eashwar raghunathan

Re: savedsearch command only returns maximum 10000 results?

cycheng — Fri, 05 Jul 2013 09:19:07 GMT

According to the splunk doc, the default number of maxresultrows is 50000. I tried to set it in limit.conf and reboot my server, it still return 10000 results.

Re: savedsearch command only returns maximum 10000 results?

linu1988 — Mon, 08 Jul 2013 18:36:49 GMT

i guess you have to increase the subsearch limit in the limits.conf file. I am not fully sure but check with limits.conf which has 10000 values set. change one by one which you may feel appropriate.And for changing configs you don't have to restart server. Only splunk restart from command line will do.

Re: savedsearch command only returns maximum 10000 results?

bmacias84 — Mon, 08 Jul 2013 19:02:55 GMT

The way you defined your search I beleieve you are hitting the savedsearch limit defined in limits.conf. Just for referance subsearch limits are defined in savedsearches.conf, in particularly dispatch.max_count which the default is 50000. The stanza you want in limits.conf is [subsearch], settings maxout, but the value can not be greater than 10499.

Try removing the | from your param name="search" or try using the HiddenSavedSearch module.

Hope this makes sense or gets you started. Dont forget to accept and vote up answers that help. Cheers

Re: savedsearch command only returns maximum 10000 results?

cycheng — Mon, 28 Sep 2020 14:16:54 GMT

By removing the |, I get "No results found". I tried HiddenSavedSearch with useHistory=False and HiddenSearch, all returns 10000 results to me.

I see this in inspect->search.log, loader - Arguments are: "splunkd" "search" "--id=1373353138.5" "--maxbuckets=0" "--ttl=600" "--maxout=10000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--user=cycheng" "--pro" "--roles=admin:can_delete:power:user"

I also set the [subsearch] maxout = 5000 in limits.conf, but somehow it doesn't take the maxout settings.

Re: savedsearch command only returns maximum 10000 results?

linu1988 — Tue, 09 Jul 2013 08:56:00 GMT

is it in the default app/ system folder of splunk. For a workaround you can use a macro instead of a savedsearch.

Re: savedsearch command only returns maximum 10000 results?

cycheng — Wed, 10 Jul 2013 15:14:04 GMT

Thanks everybody for your answer. I finally figure out that I have to add | table * in my search. Originally my search is something like this:

index=my_index | JOIN type=inner a b [search index=my_index xx=yy | fields c d e]

Just add *| table ** at the end of the search and it will return the exact number of results, which is 80000++. It is more than the default maxresultrows(50000). I do not set anythings in limits.conf. I don't know why is this working.