Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retrieve the Data from multiple searches

Shashank_87
Explorer
‎06-13-2018 05:37 AM

Hi, I have something like this -
Search 1 - for media customers
- Summary Index A - contains data from 20th May till now - for media customers
- Lookup 1 - contains data from 20-Feb to 20th May
- Lookup 2 - contains data from 21-Dec to 19th Feb

Search 2 - for mobile customers
Summary Index B - contains data from 20th May till now
Lookup 1 - contains data from 20-Feb to 20th May
Lookup 2 - contains data from 21-Dec to 19th Feb

Now I have to combine the results of these 2 searches by removing all the duplicates. I am using append command with dedup, limit=0 and all but I am getting this in the Job inspector. what possibly could the the reason for truncating the sub search rows?
[subsearch] : Search Processor: Subsearch produced 51402 results, truncating max out to 50000

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎06-13-2018 01:43 PM

The append uses subsearch and that has a limit of max rows to return of 50000. Whats your full search? How much data each of the search (summary index search and lookups) contains?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...