https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524835#M148060 <P>Hi all,<BR /><BR />Using Splunk cloud I'm trying to look up the time difference between when a message is received from a sender and was delivered to a recipient. I have a lookup which has all the message ids totaling about 400k entries. For each message id, I'm interested in finding how long it took for the server to process the message.&nbsp; Splunk seems to truncate the subsearch to 10000.&nbsp; Here is what was noticed for the search below:</P><P><SPAN>Subsearch produced 423340 results, truncating to maxout 10000.</SPAN></P><P><BR />index="stage" (host="msgsrv*" source="/var/log/messaging/msg.log" [|inputlookup sept-messages | fields id ]<BR />(<BR /><BR />( event=msg_rcvd AND "tag=""body""") OR ( event=msg_sent AND "tag=""body""") OR (event=msg_sent AND "tag=""result""")<BR />)<BR />)</P><P>|reverse<BR />|eval msg_id = id<BR />|eval msg_rcvd_time=if(event == "msg_rcvd", _time, 999999999999.999)<BR />|eval client_out_time=if(event == "msg_sent", _time,999999999999.999)<BR />|stats values(msg_rcvd_time) AS ins values(msg_sent_time) AS outs values(_time) AS times values(_raw) as raws values(to_user) AS to_users values(from_user) AS from_users by msg_id, to_user<BR />|eval first_msg_rcvd_time = mvindex(mvsort(ins), 0)<BR />|eval first_msg_sent_time = mvindex(mvsort(outs), 0)<BR />|eval delta = first_msg_sent_time - first_msg_rcvd_time</P><P>How could the large lookup be processed and any suggestions for improving the above query?</P> Thu, 15 Oct 2020 12:19:26 GMT sravipati 2020-10-15T12:19:26Z https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524835#M148060 <P>Hi all,<BR /><BR />Using Splunk cloud I'm trying to look up the time difference between when a message is received from a sender and was delivered to a recipient. I have a lookup which has all the message ids totaling about 400k entries. For each message id, I'm interested in finding how long it took for the server to process the message.&nbsp; Splunk seems to truncate the subsearch to 10000.&nbsp; Here is what was noticed for the search below:</P><P><SPAN>Subsearch produced 423340 results, truncating to maxout 10000.</SPAN></P><P><BR />index="stage" (host="msgsrv*" source="/var/log/messaging/msg.log" [|inputlookup sept-messages | fields id ]<BR />(<BR /><BR />( event=msg_rcvd AND "tag=""body""") OR ( event=msg_sent AND "tag=""body""") OR (event=msg_sent AND "tag=""result""")<BR />)<BR />)</P><P>|reverse<BR />|eval msg_id = id<BR />|eval msg_rcvd_time=if(event == "msg_rcvd", _time, 999999999999.999)<BR />|eval client_out_time=if(event == "msg_sent", _time,999999999999.999)<BR />|stats values(msg_rcvd_time) AS ins values(msg_sent_time) AS outs values(_time) AS times values(_raw) as raws values(to_user) AS to_users values(from_user) AS from_users by msg_id, to_user<BR />|eval first_msg_rcvd_time = mvindex(mvsort(ins), 0)<BR />|eval first_msg_sent_time = mvindex(mvsort(outs), 0)<BR />|eval delta = first_msg_sent_time - first_msg_rcvd_time</P><P>How could the large lookup be processed and any suggestions for improving the above query?</P> Thu, 15 Oct 2020 12:19:26 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524835#M148060 sravipati 2020-10-15T12:19:26Z https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524846#M148064 <P>There should be some way about picking up only the first and last event and finding the time difference.. i am not sure how to do that.&nbsp;</P><P>meanwhile, if you want to update the subsearch limitation of 10000 (splunk cloud customers will need to contact splunk support)<BR /><BR />limits.conf file:</P><P>[subsearch]<BR />* This stanza controls subsearch results.<BR />* NOTE: This stanza DOES NOT control subsearch results when a subsearch is called by<BR />commands such as join, append, or appendcols.<BR />* Read more about subsearches in the online documentation:<BR /><A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches" rel="nofollow noopener noreferrer" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches</A></P><P>maxout =<BR />* Maximum number of results to return from a subsearch.<BR />* This value cannot be greater than or equal to 10500.<BR />* Defaults to 10000.</P> Thu, 15 Oct 2020 13:03:18 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524846#M148064 inventsekar 2020-10-15T13:03:18Z https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524850#M148066 <P>Thank you. Sure will look into that option of increasing. Wondering how large of a value is acceptable though?&nbsp;</P> Thu, 15 Oct 2020 13:14:34 GMT https://community.splunk.com/t5/Splunk-Search/subsearch-results-truncated-as-the-number-of-entries-in-the/m-p/524850#M148066 sravipati 2020-10-15T13:14:34Z