https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433663#M123793 <P>@sumitkathpal, if your use-case is to show tstats count only for sources/domains present in the lookup, instead of using <CODE>| inputlookup</CODE> which will run as a subsearch, you can run <CODE>lookup</CODE> command to identify the domains that are present in the lookup and those which are not can be filtered out. Please try the following query.</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Email by All_Email.src_user All_Email.subject | `drop_dm_object_name("All_Email")` | lookup local_domain_intel.csv domain as src_user outputnew domain as domainFromLookup | search domainFromLookup!="" | fields - domainFromLookup </CODE></PRE> <P>Following is the run anywhere sample approach that I used to test:</P> <P>1) <STRONG>Created .15M events for lookup</STRONG>. Used streamstats to create unique source names as <CODE>domain</CODE>. PS: datasource="lookup" is created as identifier just for demo purpose.</P> <PRE><CODE>| makeresults count=150000 | fields - _time | streamstats count as domain | eval domain="src".printf("%06d",domain), datasource="lookup" </CODE></PRE> <P>2) <STRONG>Piped outputlookup</STRONG> to above result to save as <CODE>localtestdata.csv</CODE></P> <PRE><CODE>| outputlookup localtestdata.csv </CODE></PRE> <P>3) Used new query to generate stats count by various sources. PS: count below can be changed to any number you want to test. I tested with <CODE>1.5M</CODE> as well. Following is 15K for demo example. Eval function <CODE>random()</CODE> along with <CODE>substr()</CODE> is used to generate some <CODE>random count</CODE>. PS: datasource="tstats" is just for demo purpose.</P> <PRE><CODE>| makeresults count=15000 | fields - _time | streamstats count as src_user | eval src_user=if(src_user&lt;=100,"0",src_user ) | eval src_user="src".printf("%06d",src_user), count=substr("".random(),4), datasource="tstats" </CODE></PRE> <P>PS: <CODE>| eval src_user=if(src_user&lt;=100,"0",src_user )</CODE> eval has been added in raw event to <CODE>rename first 100 events as src000000</CODE> so that not all events from search matches data in lookup.</P> <P>4) Once Lookup file using Step 1 and Step 2 is created and you have run a new search with Query 3 to generate your sample events you can <STRONG>match the <CODE>srcuser</CODE> field in raw event with <CODE>domain</CODE> field in lookup and filter only matched domains</STRONG> using the following command:</P> <PRE><CODE>| lookup localtestdata.csv domain as src_user outputnew domain as domainFromLookup | search domainFromLookup!="" | fields - domainFromLookup </CODE></PRE> Mon, 29 Apr 2019 16:18:32 GMT niketn 2019-04-29T16:18:32Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433660#M123790 <P>Hi All,</P> <P>I am running tstats command and matching with large lookup file but i am getting the "[subsearch]: Subsearch produced 144180 results, truncating to maxout 10000."</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Email by All_Email.src_user All_Email.subject | `drop_dm_object_name("All_Email")` | search [| inputlookup local_domain_intel.csv| rename domain as src_user |fields src_user ] </CODE></PRE> <P>My question is : Does my search match it with lookup file and then it truncate to 10000 results ? <BR /> Or First it truncate the lookup file with 10000 than compare with my search ? I checked in my lookup last row i updated with known domain and saved , search didn't produce any result . If i move this known domain in first row than search matches and produces result.</P> <P>Also how to remove this error ?</P> <P>lookup file row : 144180</P> <P>Reason </P> Mon, 29 Apr 2019 06:11:49 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433660#M123790 sumitkathpal 2019-04-29T06:11:49Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433661#M123791 <P>The subsearch executes first and is limited to returning 10,000 results. It is governed by the <CODE>maxout</CODE> setting in limits.conf, but must always be less than 10500 so changing this value will not help you. You will have to redesign your query.</P> Mon, 29 Apr 2019 12:52:32 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433661#M123791 richgalloway 2019-04-29T12:52:32Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433662#M123792 <P>You can change the search to use the lookup, something like ( change fields as needed)</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Email by All_Email.src_user All_Email.subject | `drop_dm_object_name("All_Email")` | inputlookup local_domain_intel.csv domain AS src_user </CODE></PRE> <P>This will match the src_user in the tstats results to lookup contents and return matched results.</P> Mon, 29 Apr 2019 14:42:48 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433662#M123792 lakshman239 2019-04-29T14:42:48Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433663#M123793 <P>@sumitkathpal, if your use-case is to show tstats count only for sources/domains present in the lookup, instead of using <CODE>| inputlookup</CODE> which will run as a subsearch, you can run <CODE>lookup</CODE> command to identify the domains that are present in the lookup and those which are not can be filtered out. Please try the following query.</P> <PRE><CODE>| tstats `summariesonly` count from datamodel=Email by All_Email.src_user All_Email.subject | `drop_dm_object_name("All_Email")` | lookup local_domain_intel.csv domain as src_user outputnew domain as domainFromLookup | search domainFromLookup!="" | fields - domainFromLookup </CODE></PRE> <P>Following is the run anywhere sample approach that I used to test:</P> <P>1) <STRONG>Created .15M events for lookup</STRONG>. Used streamstats to create unique source names as <CODE>domain</CODE>. PS: datasource="lookup" is created as identifier just for demo purpose.</P> <PRE><CODE>| makeresults count=150000 | fields - _time | streamstats count as domain | eval domain="src".printf("%06d",domain), datasource="lookup" </CODE></PRE> <P>2) <STRONG>Piped outputlookup</STRONG> to above result to save as <CODE>localtestdata.csv</CODE></P> <PRE><CODE>| outputlookup localtestdata.csv </CODE></PRE> <P>3) Used new query to generate stats count by various sources. PS: count below can be changed to any number you want to test. I tested with <CODE>1.5M</CODE> as well. Following is 15K for demo example. Eval function <CODE>random()</CODE> along with <CODE>substr()</CODE> is used to generate some <CODE>random count</CODE>. PS: datasource="tstats" is just for demo purpose.</P> <PRE><CODE>| makeresults count=15000 | fields - _time | streamstats count as src_user | eval src_user=if(src_user&lt;=100,"0",src_user ) | eval src_user="src".printf("%06d",src_user), count=substr("".random(),4), datasource="tstats" </CODE></PRE> <P>PS: <CODE>| eval src_user=if(src_user&lt;=100,"0",src_user )</CODE> eval has been added in raw event to <CODE>rename first 100 events as src000000</CODE> so that not all events from search matches data in lookup.</P> <P>4) Once Lookup file using Step 1 and Step 2 is created and you have run a new search with Query 3 to generate your sample events you can <STRONG>match the <CODE>srcuser</CODE> field in raw event with <CODE>domain</CODE> field in lookup and filter only matched domains</STRONG> using the following command:</P> <PRE><CODE>| lookup localtestdata.csv domain as src_user outputnew domain as domainFromLookup | search domainFromLookup!="" | fields - domainFromLookup </CODE></PRE> Mon, 29 Apr 2019 16:18:32 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-144180-results-truncating-to-maxout-10000/m-p/433663#M123793 niketn 2019-04-29T16:18:32Z