Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Join truncating from too many results.

dennywebb
Path Finder
‎09-21-2012 04:24 AM

i have 2 kinds of logs, one for an install of a toolbar, and one for the USE of the toolbar to do a search.

the install log has the browser type, and the search log does not. both have a UniqueBrowserID field that will match them for a join.

my goal is to view the search log with the browser type. i have tried doing:

eventtype="SearchLog" sourcetype="apache_error" | join UniqueBrowserID [search eventtype="InstallLog" | fields BrowserName]

but always get this message:
[subsearch]: Subsearch produced 50000 results, truncating to maxout 50000.

and have results missing the BrowserName....

i tried making a macro and using an eval, but I can't figure out how to make a search in the macro only return a string so i get:
Error in 'SearchParser': The definition of macro 'BrowserNameByUniqueID(1)' is expected to be an eval expression that returns a string.

the macro is defined as:

eventtype="InstallLog" UniqueBrowserID="$UBI$" | head 1 | table BrowserName

Help!

Tags (3)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-30-2016 12:06 PM

I'm pretty sure you neither want nor need a join here. 

(sourcetype="apache_error" eventtype="SearchLog" ) OR (eventtype="InstallLog") 
| stats values(BrowserName) count by UniqueBrowserID

If the two logs extract the browserId field with different fieldnames, you may need a little eval to normalize them. eg: 

(sourcetype="apache_error" eventtype="SearchLog" ) OR (eventtype="InstallLog") 
| eval eval normalizedId=if(sourcetype="apache_error",browserID,uniq_browser_id)
| stats values(BrowserName) count by normalizedId
0 Karma
Reply

marcoscala
Builder
‎03-31-2014 02:12 AM

You can override the 50.000 default maximum number of events returned from the join subsearch in limits.conf using

[join]
subsearch_maxout = <yourvalue>

Marco

Reply

MuS
SplunkTrust
SplunkTrust
‎03-31-2014 06:27 AM

Just a small note: this question was tagged with splunkstorm. If you're on Splunk Storm this will not be possible, while for Splunk Enterprise this correct 😉

Reply

lguinn2
Legend
‎09-21-2012 09:54 AM

Try this

eventtype="SearchLog" sourcetype="apache_error" 
| join UniqueBrowserID 
         [ search eventtype="InstallLog" BrowserName=* 
         | addinfo | where _time >= info_min_time AND _time <= info_max_time
         | dedup UniqueBrowserID 
         | fields UniqueBrowserID BrowserName ]

Which may solve both the subsearch limit and the fact that you have blank BrowserNames. I am not sure why you need a macro - are you trying to run this search for a single browser ID?

Note that the inner search runs over all time by default. The search above uses the addinfo command to retrieve the min and max times from the outer search and applies them to the inner search in the where command.

Reply

dennywebb
Path Finder
‎09-22-2012 09:42 PM

my goal here is that we also have a bunch of searches coming from a web page, the logs of these DO include the browser with every log. i'd like to create a final search that includes BOTH types of logs and gives stats/charts/etc, including on browser types, for my dashboard.

0 Karma
Reply

dennywebb
Path Finder
‎09-22-2012 09:24 PM

and it's eliminating records if i do that... because an install may have happened a year ago that i'm trying to join with a search log to get the browser name. the above limits is to only installs in the same timeframe as the search.

0 Karma
Reply

dennywebb
Path Finder
‎09-22-2012 09:22 PM

i was trying to use a macro as a subsearch to get around the subsearch limitations... i though if i could do an eval macro for each record, then i WOULD only be looking for a single ID each time the eval ran (as i understand, that evals per record)... making it a smaller list.

i'm still being truncated if i go over "last 24 hours" with your solution.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...