Re: savedsearch command only returns maximum 10000...

cycheng · ‎07-05-2013

I have a saved search which will return about 80000++ results. I tried the below command in Search bar, it returns correct total of results.

| savedsearch "get_complete_dataset"

Then I use it in my view:

module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
    param name="search">| savedsearch "get_complete_dataset"/param>

    module name="HTML">
      param name="html">
      sid=$results.sid$<br>
      ]]></param>
    /module>
  /module>

About view return sid="1373012981.47". Then I run below command in Search bar:
| loadjob "1373012981.47"

I'm suprise as the job only returns 10000 results. Why is this happened? What can I do so that the search can return correct result?

cycheng · ‎07-10-2013

Thanks everybody for your answer. I finally figure out that I have to add | table * in my search. Originally my search is something like this:

index=my_index | JOIN type=inner a b [search index=my_index xx=yy | fields c d e]

Just add *| table ** at the end of the search and it will return the exact number of results, which is 80000++. It is more than the default maxresultrows(50000). I do not set anythings in limits.conf. I don't know why is this working.

bmacias84 · ‎07-08-2013

The way you defined your search I beleieve you are hitting the savedsearch limit defined in limits.conf. Just for referance subsearch limits are defined in savedsearches.conf, in particularly dispatch.max_count which the default is 50000. The stanza you want in limits.conf is [subsearch], settings maxout, but the value can not be greater than 10499.

Try removing the | from your param name="search" or try using the HiddenSavedSearch module.

Hope this makes sense or gets you started. Dont forget to accept and vote up answers that help. Cheers

linu1988 · ‎07-09-2013

is it in the default app/ system folder of splunk. For a workaround you can use a macro instead of a savedsearch.

cycheng · ‎07-09-2013

By removing the |, I get "No results found". I tried HiddenSavedSearch with useHistory=False and HiddenSearch, all returns 10000 results to me.

I see this in inspect->search.log, loader - Arguments are: "splunkd" "search" "--id=1373353138.5" "--maxbuckets=0" "--ttl=600" "--maxout=10000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--user=cycheng" "--pro" "--roles=admin:can_delete:power:user"

I also set the [subsearch] maxout = 5000 in limits.conf, but somehow it doesn't take the maxout settings.

linu1988 · ‎07-08-2013

i guess you have to increase the subsearch limit in the limits.conf file. I am not fully sure but check with limits.conf which has 10000 values set. change one by one which you may feel appropriate.And for changing configs you don't have to restart server. Only splunk restart from command line will do.

eashwar · ‎07-05-2013

hello brother,

create a limits.conf in

$SPLUNK_HOME/etc/system/local/

or

$SPLUNK_HOME/etc/apps//local/

create a limits.conf with the below stanza. max is 50000

[searchresults]

maxresultrows = 50000

yours,

eashwar raghunathan

cycheng · ‎07-05-2013

According to the splunk doc, the default number of maxresultrows is 50000. I tried to set it in limit.conf and reboot my server, it still return 10000 results.

savedsearch command only returns maximum 10000 results?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation