Solved: Overcoming subsearch truncation

yepyepyayyooo · ‎04-21-2020

I do not have any admin privilege in my Splunk instance and cannot change any configuration.

Need to search an index for any value matching what's in a lookup file. The problem is the file contains 130K records and I get a maxout truncation at 10K. How do I overcome this?

If you plan to tell me to split it up into 10K files, please don't.

index="bro"
   [ inputlookup bad_domains
   | fields domain ]
|stats values(domain) by _time

to4kawa · ‎04-21-2020

| inputlookup bad_domains
| eval flag="csv"
| append [search  index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain

search huge one first.

View solution in original post

to4kawa · ‎04-21-2020

| inputlookup bad_domains
| eval flag="csv"
| append [search  index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain

search huge one first.

yepyepyayyooo · ‎04-21-2020

Thanks to4kawa. I don't follow though. How do I fix the where comparison?

to4kawa · ‎04-21-2020

why do you fix this?

Overcoming subsearch truncation

subsearch

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?

Overcoming subsearch truncation

subsearch

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard