Splunk Search

How to increase subsearch maxout limit?

sistemistiposta
Path Finder

Hello,

I would like to run a scheduled report once. A very log time search, I don't care about performance or time to complete.
I set in local limits.conf

[subsearch]
# maximum number of results to return from a subsearch
maxout = 100000

but the job inspector says:

INFO: [subsearch]: Subsearch produced 255526 results, truncating to maxout
50000.

Why does it say 50000 and not the 100000 configured value?
I would like to know how to increase the maxout up to 300000.

I don't use the append command, so I can't set maxout on the search itself.

Just for info, my search is

host=*myhosts [search host=myhost KLMS av_status=Clean as_status=Clean | table message_id] | eval message_id=mvindex(split(message_id,"@"),0)."@".lower(mvindex(split(message_id,"@"),-1)) | transaction message_id | search status="Blocked INFECTED" | rename av_status as Kas | rename status as Am | table _time,from,to,Kas,Am

Job inspector seems to say the limit occurs in [subsearch]. I don't have a distributed environment. I have to run it for a 30 day interval.

Thank you very much
Best Regards
Marco

1 Solution

jkat54
SplunkTrust
SplunkTrust

We need your full search string not just partial.

Many commands limit to 50k and we'd love to show you the exact one.

Please read limits.conf documentation in full and see if your question is answered.

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Limitsconf

Search that page for 50000 and I'm sure you'll find your answer.

Also, you may want to insure your limits.conf is on all your servers, not just the search heads:

#    limits.conf settings and DISTRIBUTED SEARCH
#   Unlike most settings which affect searches, limits.conf settings are not
#   provided by the search head to be used by the search peers.  This means that if
#   you need to alter search-affecting limits in a distributed environment, **typically
#   you will need to modify these settings on the relevant peers** and search head for
#   consistent results.

View solution in original post

Runals
Motivator

This doesn't necessarily answer your question but I'm having trouble understanding your need to have the subsearch in the first place. The subsearch is getting the messsage_ids for systems with the status fields of clean. As written I don't see why you couldn't just do

host=*myhosts KLMS av_status=clean as_status=clean | ...

Of course there could be elements of the search you are leaving out which is fine.

sistemistiposta
Path Finder

Hello, in the event where I have *_status, there isn't status. I could perform a single search with status and *_status, but I don't know if it is faster. Thank you very much for this hint.

0 Karma

jkat54
SplunkTrust
SplunkTrust

We need your full search string not just partial.

Many commands limit to 50k and we'd love to show you the exact one.

Please read limits.conf documentation in full and see if your question is answered.

http://docs.splunk.com/Documentation/Splunk/6.1/admin/Limitsconf

Search that page for 50000 and I'm sure you'll find your answer.

Also, you may want to insure your limits.conf is on all your servers, not just the search heads:

#    limits.conf settings and DISTRIBUTED SEARCH
#   Unlike most settings which affect searches, limits.conf settings are not
#   provided by the search head to be used by the search peers.  This means that if
#   you need to alter search-affecting limits in a distributed environment, **typically
#   you will need to modify these settings on the relevant peers** and search head for
#   consistent results.

sistemistiposta
Path Finder

Reviewing similar questions, it's probably maxresultrows. I'll try. Thank you very much.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...