https://community.splunk.com/t5/Splunk-Search/Neighbouring-Events-with-localize-and-map-only-retrieving-2-days/m-p/219374#M64470 <P>Hi,</P> <P>I am attempting to find the neighbouring events to a particular event over the last months set of data, but I'm only getting a subset of the results I need. </P> <P>My query, without the map command is </P> <PRE><CODE>host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s </CODE></PRE> <P>which correctly returns results spread over the last month - most days there are a number of events logged. </P> <P>When I add the map command as below, I only receive results from today and yesterday. </P> <PRE><CODE>host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s | map search="search host=hostname1 OR host=hostname2 NOT source=WinEventLog:Security earliest=$starttime$ latest=$endtime$" </CODE></PRE> <P>How can I get all of the last months worth of results? </P> <P>Thanks, <BR /> David</P> Thu, 05 Nov 2015 10:29:09 GMT davidphi 2015-11-05T10:29:09Z https://community.splunk.com/t5/Splunk-Search/Neighbouring-Events-with-localize-and-map-only-retrieving-2-days/m-p/219374#M64470 <P>Hi,</P> <P>I am attempting to find the neighbouring events to a particular event over the last months set of data, but I'm only getting a subset of the results I need. </P> <P>My query, without the map command is </P> <PRE><CODE>host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s </CODE></PRE> <P>which correctly returns results spread over the last month - most days there are a number of events logged. </P> <P>When I add the map command as below, I only receive results from today and yesterday. </P> <PRE><CODE>host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s | map search="search host=hostname1 OR host=hostname2 NOT source=WinEventLog:Security earliest=$starttime$ latest=$endtime$" </CODE></PRE> <P>How can I get all of the last months worth of results? </P> <P>Thanks, <BR /> David</P> Thu, 05 Nov 2015 10:29:09 GMT https://community.splunk.com/t5/Splunk-Search/Neighbouring-Events-with-localize-and-map-only-retrieving-2-days/m-p/219374#M64470 davidphi 2015-11-05T10:29:09Z https://community.splunk.com/t5/Splunk-Search/Neighbouring-Events-with-localize-and-map-only-retrieving-2-days/m-p/219375#M64471 <P>I was having the same problem.<BR /> After some investigation, I found out the problem is not in 'localize' command, but rather in 'map'.<BR /> As stated in <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/map">Documentation</A> , map will iterate for earch event found in the initial search with new time parameters. By default number of subsearch iterations is limited to 10. <BR /> So after it reaches 10, i suppose it stops searching for other occurences.</P> <P>I solved it by adding 'maxsearches=3000' in map command section, right after ending doublequotes:</P> <P>so in your case:</P> <PRE><CODE> host=hostname1 OR host=hostname2 NOT source="WinEventLog:Security" searchterm | localize timebefore=30s | map search="search host=hostname1 OR host=hostname2 NOT source=WinEventLog:Security earliest=$starttime$ latest=$endtime$" maxsearches=3000 </CODE></PRE> <P>Documentation also states that "A message is generated if there are more search results than the maximum number that you specify. ".<BR /> I guess, they should have added this notification to default use of 'map' without 'maxsearches' option, because result limitation seems weird wihout it.</P> <P>Hope that helps.</P> Thu, 04 Feb 2016 11:49:17 GMT https://community.splunk.com/t5/Splunk-Search/Neighbouring-Events-with-localize-and-map-only-retrieving-2-days/m-p/219375#M64471 mank 2016-02-04T11:49:17Z