Hi.
I have one problem. It is truncated subsearch result.
index="test-index01" sourcetype="test_sourcetype" user="*" OR user_name="*"
| stats count(file_name) as file_cnt sum(save_cnt) as save_cnt by user
file_name bunit id name
| join type=left file_name user
[ | tstats summariesonly=t earliest(test_datamodel.privacy_count) as
privacy_count FROM datamodel=datamodel WHERE "test_datamodel.user"="*"
BY test_datamodel.user test_datamodel.file_name
| rename test_datamodel.user as user test_datamodel.file_name as
file_name]
search result alert : [subsearch]: Subsearch produced 1485715 results, truncating to maxout 500000.
too many (BY user file_name) results. It is searched privacy_count query by user file_name.
So I want to listen your advice.
I don't know that I have to see some manual.
Thank you.
