Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000.
Am aware of the Maxout limit of 50k , am asking the best ways to get the results more than 50k from subsearch to join my output. My use case needs the results more than 50k. And by the way am using join.
So am looking for ways to optimize the query itself without changing limits if its possible and we are using splunk-cloud so even if we request i doubt they will change the limits as they have a simple stance of saying its not allowed as per documentation unfortunately not much of help from splunk-cloud.
Output settings for subsearch commands
By default, subsearches return a maximum of 10,000 results. You will see variations in the actual number of output results because every command can change what the default maxout is when the command invokes a subsearch. Additionally, the default applies to subsearches that are intended to be expanded into a search expression, which is not the case for some commands such as join, append, and appendcols.
For example, the append command can override the default maximum if the maxresultrows argument is specified, unless you specify maxout as an argument to the append command.
The output limit of the join command is controlled by subsearch_maxout in the limits.conf file. This defaults to 50,000 events.