topic Re: How to increase subsearch maxout limit? in Splunk Search

How to increase subsearch maxout limit?

sistemistiposta — Wed, 16 Dec 2015 11:28:15 GMT

Hello,

I would like to run a scheduled report once. A very log time search, I don't care about performance or time to complete.
I set in local limits.conf

[subsearch]
# maximum number of results to return from a subsearch
maxout = 100000

but the job inspector says:

INFO: [subsearch]: Subsearch produced 255526 results, truncating to maxout
50000.

Why does it say 50000 and not the 100000 configured value?
I would like to know how to increase the maxout up to 300000.

I don't use the append command, so I can't set maxout on the search itself.

Just for info, my search is

host=*myhosts [search host=myhost KLMS av_status=Clean as_status=Clean | table message_id] | eval message_id=mvindex(split(message_id,"@"),0)."@".lower(mvindex(split(message_id,"@"),-1)) | transaction message_id | search status="Blocked INFECTED" | rename av_status as Kas | rename status as Am | table _time,from,to,Kas,Am

Job inspector seems to say the limit occurs in [subsearch]. I don't have a distributed environment. I have to run it for a 30 day interval.

Thank you very much
Best Regards
Marco

Re: How to increase subsearch maxout limit?

jkat54 — Wed, 16 Dec 2015 11:31:38 GMT

We need your full search string not just partial.

Many commands limit to 50k and we'd love to show you the exact one.

Please read limits.conf documentation in full and see if your question is answered.

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Limitsconf

Search that page for 50000 and I'm sure you'll find your answer.

Also, you may want to insure your limits.conf is on all your servers, not just the search heads:

#    limits.conf settings and DISTRIBUTED SEARCH
#   Unlike most settings which affect searches, limits.conf settings are not
#   provided by the search head to be used by the search peers.  This means that if
#   you need to alter search-affecting limits in a distributed environment, **typically
#   you will need to modify these settings on the relevant peers** and search head for
#   consistent results.

Re: How to increase subsearch maxout limit?

sistemistiposta — Wed, 16 Dec 2015 12:24:33 GMT

Reviewing similar questions, it's probably maxresultrows. I'll try. Thank you very much.

Re: How to increase subsearch maxout limit?

Runals — Wed, 16 Dec 2015 12:49:23 GMT

This doesn't necessarily answer your question but I'm having trouble understanding your need to have the subsearch in the first place. The subsearch is getting the messsage_ids for systems with the status fields of clean. As written I don't see why you couldn't just do

host=*myhosts KLMS av_status=clean as_status=clean | ...

Of course there could be elements of the search you are leaving out which is fine.

Re: How to increase subsearch maxout limit?

sistemistiposta — Tue, 29 Sep 2020 08:07:59 GMT

Hello, in the event where I have *_status, there isn't status. I could perform a single search with status and *_status, but I don't know if it is faster. Thank you very much for this hint.