topic Subsearch limits pre-post filtering? in Splunk Search

Subsearch limits pre-post filtering?

quadrant8 — Tue, 18 Jun 2024 07:22:51 GMT

I've seen the documentation which says "by default subsearches return a maximum of 10,000 results and have a maximum runtime of 60 seconds", but it's unclear if that limit is before or after applying transforms.

e.g. does it apply to the base search (e.g. the output of index=wineventlogs AND ComputerName=MyDesktop is capped at 10k) or if the filtered results (e.g. if I add conditions and filter to reduce the final dataset) is where any results over 10k will be dropped?

Re: Subsearch limits pre-post filtering?

gcusello — Tue, 18 Jun 2024 08:32:38 GMT

Hi @quadrant8 ,

10k events is the limit of subsearch results: if you run the subsearch as a main search, without anithing, have you more or less of 10K events?

if more than 10K events, you have to find a different solution (e.g. putting the subsearch in the main search with an OR condition, defining a correlation key and checking that the correlation key is present in both the searches.

Ciao.

Giuseppe