I have the following search to find the number of switches "Off" on a day (call it day=0), and then use a field lookup to search those switches on subsequent days and track when/how many turn on for each next day. There are ~150k switches that are "off" on day=0. (1) Therefore, my field lookup is getting stuck on the 10k limit - is there a way to get around this i.e. a different format for the search, rather than increasing my subsearch limit?

(2) Previously, I was specifying day=0 by the actual date e.g mm/dd/yy; however, I want to run this query on multiple datasets that were each have their first collection on different start dates, that I may not necessarily know, therefore I cannot specify the exact date; but would like some general format that will automatically search from day=0

Here is the query currently:

index=xyz source=abc macAddress!=def earliest=07/24/2016:00:00:00 latest=07/24/2016:23:59:59 operStatus="Off" 
  [ search source=*devices* index=xyz productFamily=pqr timeStamp="2016-07-24*" 
  | dedup deviceId
  | table deviceId]
| dedup _time,macAddress
| fields macAddress
| fields - _*
| outputlookup listofswitchesdownonday0.csv

And then field lookup with this:

index=xyz earliest=07/25/2016:00:00:00
[| inputlookup "listofswitchesoffonday0.csv"]
| bin_time span=1d
| dedup _time, macAddress
| stats count by _time,operStatus 
| sort _time

But this gives me the 10k limit, when the number I'm looking for is ~150k; and if I use the same query for other datasets, they may have a first collection date earlier than 07/24/2016. There is a lot of data, so the faster the better.

Thank you in advance