Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we include maxtime(present in limits.conf) as an argument to format command to increase the subsearch execution time?

nikhiltyagi
Explorer
‎12-15-2014 05:50 PM

Hi,

I am fairly new to splunk. I am trying to execute a subsearch. As a simple debug this is what I tried:
Query - earliest=-2y eventtype="someevent" . this query returns 329,916 events, however when I try this search as a subsearch-
[search earliest=-2y eventtype="someevent"] This returns 587 results. So is it the due to the time limitation of subsearch ( which defaults to 60 secs). Also, is there some way to include maxtime for subsearch, like we can give maxresults using format command?
TIA.

0 Karma
Reply

stephane_cyrill
Builder
‎12-16-2014 04:57 AM

Hi TIA,
The limitation of the number of events can be due to the time limitation of the subsearch.
To change the maxtime or other subsearch attributes edit limits.conf in $SPLUNK_HOME/etc/system/local/
and this is how the stanza to modified looks like.

[subsearch]

maximum number of results to return from a subsearch

maxout = 10000

maximum number of seconds to run a subsearch before finalizing

maxtime = 60

time to cache a given subsearch's results

ttl = 300

NOTE:If the file do not exist you can create it.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...