Does multisearch suffer from subsearch limits?

marcusnilssonmr — Sun, 07 Jun 2015 14:54:50 GMT

Re: Does multisearch suffer from subsearch limits?

acharlieh — Sun, 07 Jun 2015 17:07:05 GMT

That is a very good question! So let's figure it out. First create a test index in your splunk instance. Next we can use gentimes to create 259,200 events (number of seconds in 3 days) and use a summary indexing command collect to populate that index like so:

| gentimes increment=1s start=-3 end=0 | eval _raw=strftime(starttime,"%FT%TZ").", one=1" | fields + _raw | collect index=test

Now we can use multisearch to test our theory. If we are subject to the subsearch maxout limit of 10,000 results, then the following search should only pull back 30,000 events:

| multisearch [search index=test earliest=-7d@d] [search index=test earliest=-7d@d] [search index=test earliest=-7d@d]

And we pull back 777,600 events. Thus multisearch must not be subject to the standard subsearch limit.

Re: Does multisearch suffer from subsearch limits?

cleavesn — Tue, 13 Aug 2019 17:08:50 GMT

Thank you for the note!

topic Re: Does multisearch suffer from subsearch limits? in Splunk Search

Does multisearch suffer from subsearch limits?

Re: Does multisearch suffer from subsearch limits?

Re: Does multisearch suffer from subsearch limits?