Solved: Overcoming subsearch truncation

yepyepyayyooo · ‎04-21-2020

I do not have any admin privilege in my Splunk instance and cannot change any configuration.

Need to search an index for any value matching what's in a lookup file. The problem is the file contains 130K records and I get a maxout truncation at 10K. How do I overcome this?

If you plan to tell me to split it up into 10K files, please don't.

index="bro"
   [ inputlookup bad_domains
   | fields domain ]
|stats values(domain) by _time

to4kawa · ‎04-21-2020

| inputlookup bad_domains
| eval flag="csv"
| append [search  index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain

search huge one first.

View solution in original post

to4kawa · ‎04-21-2020

| inputlookup bad_domains
| eval flag="csv"
| append [search  index="bro"
| stats values(domain) as domain by _time
| eval flag="index"]
| stats dc(flag) as flag values(_time) as _time by domain
| where flag > 1
| table _time domain

search huge one first.

yepyepyayyooo · ‎04-21-2020

Thanks to4kawa. I don't follow though. How do I fix the where comparison?

to4kawa · ‎04-21-2020

why do you fix this?

Overcoming subsearch truncation

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!