Splunk Search

Retrieve the Data from multiple searches

Shashank_87
Explorer

Hi, I have something like this -
Search 1 - for media customers
- Summary Index A - contains data from 20th May till now - for media customers
- Lookup 1 - contains data from 20-Feb to 20th May
- Lookup 2 - contains data from 21-Dec to 19th Feb

Search 2 - for mobile customers
Summary Index B - contains data from 20th May till now
Lookup 1 - contains data from 20-Feb to 20th May
Lookup 2 - contains data from 21-Dec to 19th Feb

Now I have to combine the results of these 2 searches by removing all the duplicates. I am using append command with dedup, limit=0 and all but I am getting this in the Job inspector. what possibly could the the reason for truncating the sub search rows?
[subsearch] : Search Processor: Subsearch produced 51402 results, truncating max out to 50000

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The append uses subsearch and that has a limit of max rows to return of 50000. Whats your full search? How much data each of the search (summary index search and lookups) contains?

0 Karma
Get Updates on the Splunk Community!

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...