Splunk Search

How to increase the subsearches maxout limit ?

datamine
Loves-to-Learn

Hi All,

Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000.

Thanks,

Dave

Labels (2)
0 Karma

datamine
Loves-to-Learn

Message am getting is Results_maxLimit.png

0 Karma

venkatasri
Influencer

Hi @datamine 

Good practice is always to limit the events scanned by subsearch, default limit is 10k however increasing this value might not work efficiently and docs says,

maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Default: 10000
0 Karma

datamine
Loves-to-Learn

Am aware of the Maxout limit of 50k , am asking the best ways to get the results more than 50k from subsearch to join my output. My use case needs the results more than 50k. And by the way am using join.

So am looking for ways to optimize the query itself without changing limits if its possible and we are using splunk-cloud so even if we request i doubt they will change the limits as they have a simple stance of saying its not allowed as per documentation unfortunately not much of help from splunk-cloud.

Output settings for subsearch commands

By default, subsearches return a maximum of 10,000 results. You will see variations in the actual number of output results because every command can change what the default maxout is when the command invokes a subsearch. Additionally, the default applies to subsearches that are intended to be expanded into a search expression, which is not the case for some commands such as join, append, and appendcols.

  • For example, the append command can override the default maximum if the maxresultrows argument is specified, unless you specify maxout as an argument to the append command.
  • The output limit of the join command is controlled by subsearch_maxout in the limits.conf file. This defaults to 50,000 events.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!