Splunk Enterprise

Results Limiting to 50,000: How to tweak my query to see complete results without restricting?

vishwa
Path Finder

I have below query:


 index=demo-app  TERM(Application) TERM(Received) NOR TERM(processed)
|stats count by ApplicationId
|fields ApplicationId
|eval matchfield=ApplicationId
|join matchfield [search index=demo-app  TERM(App) TERM(transaction)
|stats count by MessageCode
|fields MessageCode
|eval matchfield =MessageCode]

|stats count(matchfield)

When i run this search query the statics values are  limiting to 50,000
How to tweak my query to see complete results without restricting.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You're using the join command which spawns a subsearch. Subsearches have a limit on runtime as well as on returned results. You're hitting that limit. Try reworking your search so that you don't need to use join. It's often better to group your data with the stats command especially that both searches you're trying to join are from the same index.

As a side note, with a raw search, I don't think there will be a noticeable difference between TERM(Application) and just searching for the string Application - there would be a huge difference though if you reworked your search | stats into a tstats-based search.

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

You're using the join command which spawns a subsearch. Subsearches have a limit on runtime as well as on returned results. You're hitting that limit. Try reworking your search so that you don't need to use join. It's often better to group your data with the stats command especially that both searches you're trying to join are from the same index.

As a side note, with a raw search, I don't think there will be a noticeable difference between TERM(Application) and just searching for the string Application - there would be a huge difference though if you reworked your search | stats into a tstats-based search.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...