I am fairly new to splunk. I am trying to execute a subsearch. As a simple debug this is what I tried:
Query - earliest=-2y eventtype="someevent" . this query returns 329,916 events, however when I try this search as a subsearch-
[search earliest=-2y eventtype="someevent"] This returns 587 results. So is it the due to the time limitation of subsearch ( which defaults to 60 secs). Also, is there some way to include maxtime for subsearch, like we can give maxresults using format command?
The limitation of the number of events can be due to the time limitation of the subsearch.
To change the maxtime or other subsearch attributes edit limits.conf in $SPLUNK_HOME/etc/system/local/
and this is how the stanza to modified looks like.
maximum number of results to return from a subsearch
maxout = 10000
maximum number of seconds to run a subsearch before finalizing