Splunk Search

Retrieve the Data from multiple searches

Shashank_87
Explorer

Hi, I have something like this -
Search 1 - for media customers
- Summary Index A - contains data from 20th May till now - for media customers
- Lookup 1 - contains data from 20-Feb to 20th May
- Lookup 2 - contains data from 21-Dec to 19th Feb

Search 2 - for mobile customers
Summary Index B - contains data from 20th May till now
Lookup 1 - contains data from 20-Feb to 20th May
Lookup 2 - contains data from 21-Dec to 19th Feb

Now I have to combine the results of these 2 searches by removing all the duplicates. I am using append command with dedup, limit=0 and all but I am getting this in the Job inspector. what possibly could the the reason for truncating the sub search rows?
[subsearch] : Search Processor: Subsearch produced 51402 results, truncating max out to 50000

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

The append uses subsearch and that has a limit of max rows to return of 50000. Whats your full search? How much data each of the search (summary index search and lookups) contains?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...