Splunk Search

Is there an alternative to subsearch or a way to raise the results limit?

rlough
Path Finder

So I finally got my query to work only to find out that subsearch has a limit to 10,000 results! Is there a way to raise this limit or an accepted alternative method to getting around a limit? I'm dealing with hundreds of thousands of results.

Example of what my query looks like:

index=*ind* source=src1.log [search index=*ind* source=src2.log | table FIELD] | join usetime=true earlier=false FIELD [search index=*ind* source=src3.log] | table FIELD

I've tried to filter out results with more tags, but I can't get anywhere near 10,000 and this query works perfectly aside from that (minus the time it takes for it to parse...).

Any help would be greatly appreciated!!

Tags (2)
1 Solution

lguinn2
Legend

Yes, there are often ways to get around using subsearches. I try to avoid subsearches both because of the limitations and because they are relatively slow. I also find that people with a database background (like me) tend to jump to subsearches when they really aren't necessary in Splunk. For example, your search can be done, I think, with this:

index=ind (source=src1.log OR source=src2.log or source=src3.log)
| eventstats count(eval(source=="src2.log")) as src2Count   count(eval(source=="src1.log")) as src1Count by FIELD
| where src2Count > 0 AND src1Count > 0 AND source!=src2.log
| eval src1_Time = if(source=="src1.log",_time,null())
| eval src3_Time = if(source=="src3.log",_time,null())
| stats latest(src1_time) as latest_src1  earliest(src3_time) as earliest_src3  
        count(isnotnull(src1_Time)) as src1Count   count(isnotnull(src3_Time)) as src3Count by FIELD
| where latest_src1 < earliest_src3 AND src1Count > 0 AND src3Count > 0
| table FIELD

However, I think there might be an even faster - and easier way - if you described what you are trying to do!

HTH

View solution in original post

lguinn2
Legend

Yes, there are often ways to get around using subsearches. I try to avoid subsearches both because of the limitations and because they are relatively slow. I also find that people with a database background (like me) tend to jump to subsearches when they really aren't necessary in Splunk. For example, your search can be done, I think, with this:

index=ind (source=src1.log OR source=src2.log or source=src3.log)
| eventstats count(eval(source=="src2.log")) as src2Count   count(eval(source=="src1.log")) as src1Count by FIELD
| where src2Count > 0 AND src1Count > 0 AND source!=src2.log
| eval src1_Time = if(source=="src1.log",_time,null())
| eval src3_Time = if(source=="src3.log",_time,null())
| stats latest(src1_time) as latest_src1  earliest(src3_time) as earliest_src3  
        count(isnotnull(src1_Time)) as src1Count   count(isnotnull(src3_Time)) as src3Count by FIELD
| where latest_src1 < earliest_src3 AND src1Count > 0 AND src3Count > 0
| table FIELD

However, I think there might be an even faster - and easier way - if you described what you are trying to do!

HTH

rlough
Path Finder

Wow, that runs much faster! Thank you for pointing me in the right direction!

I hate that I have to use three sources, but it seems to be the only way. Thank you so much for the help though!

0 Karma

MuS
Legend

in addition to @lguinn 's answer, if you want to learn more on this topic, check out this answer http://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-joi...

cheers, MuS

rlough
Path Finder

Wow! Thank you so much, this has completely changed how I'll query in the future. My query now works perfectly and super speedy! (Seriously, with subsearches it was taking 10 minutes to run, now it takes less than one.)
I'll now handle subsearches like I would handle a plague haha.

martin_mueller
SplunkTrust
SplunkTrust
0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...