Splunk Search

Does multisearch suffer from subsearch limits?

marcusnilssonmr
Path Finder
 
Tags (1)

acharlieh
Influencer

That is a very good question! So let's figure it out. First create a test index in your splunk instance. Next we can use gentimes to create 259,200 events (number of seconds in 3 days) and use a summary indexing command collect to populate that index like so:

| gentimes increment=1s start=-3 end=0 | eval _raw=strftime(starttime,"%FT%TZ").", one=1" | fields + _raw | collect index=test

Now we can use multisearch to test our theory. If we are subject to the subsearch maxout limit of 10,000 results, then the following search should only pull back 30,000 events:

| multisearch [search index=test earliest=-7d@d] [search index=test earliest=-7d@d] [search index=test earliest=-7d@d]

And we pull back 777,600 events. Thus multisearch must not be subject to the standard subsearch limit.

cleavesn
Engager

Thank you for the note!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...