Splunk Search

How to increase the subsearches maxout limit ?

Loves-to-Learn Lots

Hi All,

Can someone please help me if our subsearch has results more than 50000 and we need to append those as well to our main search. As splunk subsearch has maxout 50000 whats the best way to optimize them? to increase the limit in limits.conf or is there any better way to do it by optimizing the query itself to allow the results for more than 50000.



Labels (2)
0 Karma

Loves-to-Learn Lots

Message am getting is Results_maxLimit.png

0 Karma


Hi @datamine 

Good practice is always to limit the events scanned by subsearch, default limit is 10k however increasing this value might not work efficiently and docs says,

maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Default: 10000
0 Karma

Loves-to-Learn Lots

Am aware of the Maxout limit of 50k , am asking the best ways to get the results more than 50k from subsearch to join my output. My use case needs the results more than 50k. And by the way am using join.

So am looking for ways to optimize the query itself without changing limits if its possible and we are using splunk-cloud so even if we request i doubt they will change the limits as they have a simple stance of saying its not allowed as per documentation unfortunately not much of help from splunk-cloud.

Output settings for subsearch commands

By default, subsearches return a maximum of 10,000 results. You will see variations in the actual number of output results because every command can change what the default maxout is when the command invokes a subsearch. Additionally, the default applies to subsearches that are intended to be expanded into a search expression, which is not the case for some commands such as join, append, and appendcols.

  • For example, the append command can override the default maximum if the maxresultrows argument is specified, unless you specify maxout as an argument to the append command.
  • The output limit of the join command is controlled by subsearch_maxout in the limits.conf file. This defaults to 50,000 events.

0 Karma
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out &gt;&gt; Kudos to all the ...