https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468325#M131853 <P><CODE>timechart</CODE> fails because <CODE>stats</CODE> is not passing on the _time field. See my corrected answer.</P> Tue, 07 Apr 2020 12:23:23 GMT richgalloway 2020-04-07T12:23:23Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468316#M131844 <P>Hi, I am dealing with a situation here. Trying to join 2 queries to find out the peak hour volume in last 90 days on a particular page.<BR /> The data needs to come from two queries because of the use of referer in the sub-search.</P> <P>limits.conf can't be modified because there are so many records and due to performance. </P> <P>So Is there any alternate way or if someone can help me with another alternate query, that will be greatly appreciated.</P> <P>index=test sourcetype="access_combined_wcookie" req_content="/checkout/yourdetails" status=200 <BR /> | join uniqueId max=0 <BR /> [ search index=test sourcetype="access_combined_wcookie" req_content="/reviewbasket" referer="<A href="https://www.site.com/content/site/homePage.html*%22" target="_blank">https://www.site.com/content/site/homePage.html*"</A>] <BR /> | timechart span=1h count<BR /> | sort - count</P> <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129090">@manjunathmeti</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a> - Will you guys be able to help as you helped me previously?</P> <P>Thanks very much in advance</P> Wed, 30 Sep 2020 04:54:00 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468316#M131844 Shashank_87 2020-09-30T04:54:00Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468317#M131845 <P>Try this as a start.</P> <PRE><CODE>index=test sourcetype="access_combined_wcookie" ((req_content="/checkout/yourdetails" status=200) OR (req_content="/reviewbasket" referer="https://www.site.com/content/site/homePage.html*")) | stats values(*) as * by _time, uniqueId | timechart span=1h count | sort - count </CODE></PRE> Fri, 03 Apr 2020 17:13:13 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468317#M131845 richgalloway 2020-04-03T17:13:13Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468318#M131846 <P>@richgalloway Thanks for the response but it doesn't give anything. When i run, it says no result found.</P> Fri, 03 Apr 2020 17:37:18 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468318#M131846 Shashank_87 2020-04-03T17:37:18Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468319#M131847 <P>Do you get results with <CODE>index=test sourcetype="access_combined_wcookie" ((req_content="/checkout/yourdetails" status=200) <BR /> OR (req_content="/reviewbasket" referer="https://www.site.com/content/site/homePage.html*"))</CODE>? If so, do they all have a uniqueId field? If not, that may be the problem.<BR /> If you still don't get any results then you may have to revert to using <CODE>join</CODE>, but will have to change the subsearch to return fewer results. </P> Fri, 03 Apr 2020 18:35:51 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468319#M131847 richgalloway 2020-04-03T18:35:51Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468320#M131848 <P>One way is to 1st run subsearch to lookup and yeh utilize it in a second one. But I prefer using stats as richgalloway already propose. </P> <P>R. Ismo</P> Sat, 04 Apr 2020 21:14:05 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468320#M131848 isoutamo 2020-04-04T21:14:05Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468321#M131849 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a> Hi, If i just use Stats like below it is giving the result but then when i use the following timechart it doesn't give anything.</P> <P>index=test sourcetype="access_combined_wcookie" ((req_content="/checkout/yourdetails" status=200) <BR /> OR (req_content="/reviewbasket" referer="<A href="https://www.site.com/content/site/homePage.html*%22)" target="_blank">https://www.site.com/content/site/homePage.html*")</A>)<BR /> | stats values(*) as * by uniqueId</P> <P>Can you please help.</P> Wed, 30 Sep 2020 04:54:25 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468321#M131849 Shashank_87 2020-09-30T04:54:25Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468322#M131850 <PRE><CODE>index=test sourcetype="access_combined_wcookie" ((req_content="/checkout/yourdetails" status=200) OR (req_content="/reviewbasket" referer="https://www.site.com/content/site/homePage.html*")) | stats min(_time) as _time dc(req_content) as flag by uniqueId | where flag &gt; 1 | timechart span=1h count | sort - count </CODE></PRE> <P><CODE>timechart</CODE> needs <EM>_time</EM> and <CODE>stats</CODE> with <CODE>*</CODE> does not works internal fields.</P> Sun, 05 Apr 2020 16:33:15 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468322#M131850 to4kawa 2020-04-05T16:33:15Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468323#M131851 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a> Hi, Thank you very much for your response. I am somewhat close to the answer but actually what i need is Peak hour volume on the requested content. For example -<BR /> Peak hour volume of "/checkout/yourdetails" and like that there are couple of other scenarios.<BR /> What your is doing is counting all of them as one unit using flag so the result won't be accurate. I don't think this will get the total hits on that particular .</P> <P>Like if i do something like this -<BR /> | stats min(_time) as _time list(req_content) as list dc(req_content) as flag by uniqueId <BR /> under the list column i could see that page is called 3 times but that will be counted as one with above query</P> <P>Can you help?</P> Wed, 30 Sep 2020 04:54:39 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468323#M131851 Shashank_87 2020-09-30T04:54:39Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468324#M131852 <P>my query aims to optimize your query.<BR /> <CODE>actually what i need is Peak hour volume on the requested content.</CODE><BR /> your query is not for this.<BR /> I don't know your log. I can only modify your query.</P> Mon, 06 Apr 2020 21:28:22 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468324#M131852 to4kawa 2020-04-06T21:28:22Z https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468325#M131853 <P><CODE>timechart</CODE> fails because <CODE>stats</CODE> is not passing on the _time field. See my corrected answer.</P> Tue, 07 Apr 2020 12:23:23 GMT https://community.splunk.com/t5/Splunk-Search/Subsearch-produced-50000-results-truncating-to-50000-Need-help/m-p/468325#M131853 richgalloway 2020-04-07T12:23:23Z