Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Does the multisearch command have a limit like subsearch?

Masa
Splunk Employee
Splunk Employee
‎11-12-2015 02:34 PM

I'm curious about the limit of the multisearch command.

subsearch has limits in limits.conf.
Is there any limit for each search clause in the multisearch command like subsearch?

Reply
1 Solution
Solved! Jump to solution
Solution

cpride_splunk
Splunk Employee
Splunk Employee
‎11-13-2015 03:16 PM

multisearch doesn't have the same type of limits as subsearches as it operates in a very different way. A "subsearch" generally runs during the parse phase of the search and has to finish and return results before the parse finishes. multisearch is a generating search command that will get distributed to the index layer and it alternates between the specified searches returning one packet of results at a time from each search. (There is some variance of the ordering here depending on if the search believes it is order dependent.) The main limitations of multisearch is that it requires that the searches be entirely distributable/streamable given that it is itself distributed.

View solution in original post

Reply
Solved! Jump to solution
Solution

cpride_splunk
Splunk Employee
Splunk Employee
‎11-13-2015 03:16 PM

multisearch doesn't have the same type of limits as subsearches as it operates in a very different way. A "subsearch" generally runs during the parse phase of the search and has to finish and return results before the parse finishes. multisearch is a generating search command that will get distributed to the index layer and it alternates between the specified searches returning one packet of results at a time from each search. (There is some variance of the ordering here depending on if the search believes it is order dependent.) The main limitations of multisearch is that it requires that the searches be entirely distributable/streamable given that it is itself distributed.

Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎11-14-2015 12:36 PM

Super! Thanks, Chris.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...