We reached the limit of 500K results per saved search. We wonder if we can increase to, let's say 10 million, for one specific app.
But it doesn't refer to one specific app.
Change the dispatch.max_count in savedsearches.conf and place it in $SPLUNK_HOME/etc/apps/appName/local
; - ) interestingly, the following Why are only 10,000 events making it into the summary index?
-- ALSO, in etc/system/local/limits.conf (create it if it doesn't exist), under the [scheduler] stanza, set maxactionresults=100000 (or a limit of your choosing).
Not sure if it's applicable ...