Splunk Search

How to increase the subsearches maxout limit ?

datamine
Loves-to-Learn Lots

Hi All,

Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000.

Thanks,

Dave

Labels (2)
0 Karma

datamine
Loves-to-Learn Lots

Message am getting is Results_maxLimit.png

0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @datamine 

Good practice is always to limit the events scanned by subsearch, default limit is 10k however increasing this value might not work efficiently and docs says,

maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Default: 10000
0 Karma

datamine
Loves-to-Learn Lots

Am aware of the Maxout limit of 50k , am asking the best ways to get the results more than 50k from subsearch to join my output. My use case needs the results more than 50k. And by the way am using join.

So am looking for ways to optimize the query itself without changing limits if its possible and we are using splunk-cloud so even if we request i doubt they will change the limits as they have a simple stance of saying its not allowed as per documentation unfortunately not much of help from splunk-cloud.

Output settings for subsearch commands

By default, subsearches return a maximum of 10,000 results. You will see variations in the actual number of output results because every command can change what the default maxout is when the command invokes a subsearch. Additionally, the default applies to subsearches that are intended to be expanded into a search expression, which is not the case for some commands such as join, append, and appendcols.

  • For example, the append command can override the default maximum if the maxresultrows argument is specified, unless you specify maxout as an argument to the append command.
  • The output limit of the join command is controlled by subsearch_maxout in the limits.conf file. This defaults to 50,000 events.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...