I have a saved search which will return about 80000++ results. I tried the below command in Search bar, it returns correct total of results.
| savedsearch "get_complete_dataset"
Then I use it in my view:
module name="Search" layoutPanel="panel_row1_col1" autoRun="True"> param name="search">| savedsearch "get_complete_dataset"/param> module name="HTML"> param name="html"> sid=$results.sid$<br> ]]></param> /module> /module>
About view return sid="1373012981.47". Then I run below command in Search bar:
| loadjob "1373012981.47"
I'm suprise as the job only returns 10000 results. Why is this happened? What can I do so that the search can return correct result?
Thanks everybody for your answer. I finally figure out that I have to add | table * in my search. Originally my search is something like this:
index=my_index | JOIN type=inner a b [search index=my_index xx=yy | fields c d e]
Just add *| table ** at the end of the search and it will return the exact number of results, which is 80000++. It is more than the default maxresultrows(50000). I do not set anythings in limits.conf. I don't know why is this working.
The way you defined your search I beleieve you are hitting the savedsearch limit defined in limits.conf. Just for referance subsearch limits are defined in savedsearches.conf, in particularly dispatch.max_count which the default is 50000. The stanza you want in limits.conf is [subsearch], settings maxout, but the value can not be greater than 10499.
Try removing the | from your param name="search" or try using the HiddenSavedSearch module.
Hope this makes sense or gets you started. Dont forget to accept and vote up answers that help. Cheers
By removing the |, I get "No results found". I tried HiddenSavedSearch with useHistory=False and HiddenSearch, all returns 10000 results to me.
I see this in inspect->search.log, loader - Arguments are: "splunkd" "search" "--id=1373353138.5" "--maxbuckets=0" "--ttl=600" "--maxout=10000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--user=cycheng" "--pro" "--roles=admin:can_delete:power:user"
I also set the [subsearch] maxout = 5000 in limits.conf, but somehow it doesn't take the maxout settings.
i guess you have to increase the subsearch limit in the limits.conf file. I am not fully sure but check with limits.conf which has 10000 values set. change one by one which you may feel appropriate.And for changing configs you don't have to restart server. Only splunk restart from command line will do.
create a limits.conf in
create a limits.conf with the below stanza. max is 50000
maxresultrows = 50000