Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join truncating from too many results.

dennywebb
Path Finder
‎09-21-2012 04:24 AM

i have 2 kinds of logs, one for an install of a toolbar, and one for the USE of the toolbar to do a search.

the install log has the browser type, and the search log does not. both have a UniqueBrowserID field that will match them for a join.

my goal is to view the search log with the browser type. i have tried doing:

eventtype="SearchLog" sourcetype="apache_error" | join UniqueBrowserID [search eventtype="InstallLog" | fields BrowserName]

but always get this message:
[subsearch]: Subsearch produced 50000 results, truncating to maxout 50000.

and have results missing the BrowserName....

i tried making a macro and using an eval, but I can't figure out how to make a search in the macro only return a string so i get:
Error in 'SearchParser': The definition of macro 'BrowserNameByUniqueID(1)' is expected to be an eval expression that returns a string.

the macro is defined as:

eventtype="InstallLog" UniqueBrowserID="$UBI$" | head 1 | table BrowserName

Help!

Tags (3)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-30-2016 12:06 PM

I'm pretty sure you neither want nor need a join here. 

(sourcetype="apache_error" eventtype="SearchLog" ) OR (eventtype="InstallLog") 
| stats values(BrowserName) count by UniqueBrowserID

If the two logs extract the browserId field with different fieldnames, you may need a little eval to normalize them. eg: 

(sourcetype="apache_error" eventtype="SearchLog" ) OR (eventtype="InstallLog") 
| eval eval normalizedId=if(sourcetype="apache_error",browserID,uniq_browser_id)
| stats values(BrowserName) count by normalizedId
0 Karma
Reply

marcoscala
Builder
‎03-31-2014 02:12 AM

You can override the 50.000 default maximum number of events returned from the join subsearch in limits.conf using

[join]
subsearch_maxout = <yourvalue>

Marco

Reply

MuS
Legend
‎03-31-2014 06:27 AM

Just a small note: this question was tagged with splunkstorm. If you're on Splunk Storm this will not be possible, while for Splunk Enterprise this correct 😉

Reply

lguinn2
Legend
‎09-21-2012 09:54 AM

Try this

eventtype="SearchLog" sourcetype="apache_error" 
| join UniqueBrowserID 
         [ search eventtype="InstallLog" BrowserName=* 
         | addinfo | where _time >= info_min_time AND _time <= info_max_time
         | dedup UniqueBrowserID 
         | fields UniqueBrowserID BrowserName ]

Which may solve both the subsearch limit and the fact that you have blank BrowserNames. I am not sure why you need a macro - are you trying to run this search for a single browser ID?

Note that the inner search runs over all time by default. The search above uses the addinfo command to retrieve the min and max times from the outer search and applies them to the inner search in the where command.

Reply

dennywebb
Path Finder
‎09-22-2012 09:42 PM

my goal here is that we also have a bunch of searches coming from a web page, the logs of these DO include the browser with every log. i'd like to create a final search that includes BOTH types of logs and gives stats/charts/etc, including on browser types, for my dashboard.

0 Karma
Reply

dennywebb
Path Finder
‎09-22-2012 09:24 PM

and it's eliminating records if i do that... because an install may have happened a year ago that i'm trying to join with a search log to get the browser name. the above limits is to only installs in the same timeframe as the search.

0 Karma
Reply

dennywebb
Path Finder
‎09-22-2012 09:22 PM

i was trying to use a macro as a subsearch to get around the subsearch limitations... i though if i could do an eval macro for each record, then i WOULD only be looking for a single ID each time the eval ran (as i understand, that evals per record)... making it a smaller list.

i'm still being truncated if i go over "last 24 hours" with your solution.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...