Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retrieve the Data from multiple searches

Shashank_87
Explorer
‎06-13-2018 05:37 AM

Hi, I have something like this -
Search 1 - for media customers
- Summary Index A - contains data from 20th May till now - for media customers
- Lookup 1 - contains data from 20-Feb to 20th May
- Lookup 2 - contains data from 21-Dec to 19th Feb

Search 2 - for mobile customers
Summary Index B - contains data from 20th May till now
Lookup 1 - contains data from 20-Feb to 20th May
Lookup 2 - contains data from 21-Dec to 19th Feb

Now I have to combine the results of these 2 searches by removing all the duplicates. I am using append command with dedup, limit=0 and all but I am getting this in the Job inspector. what possibly could the the reason for truncating the sub search rows?
[subsearch] : Search Processor: Subsearch produced 51402 results, truncating max out to 50000

Tags (3)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-13-2018 01:43 PM

The append uses subsearch and that has a limit of max rows to return of 50000. Whats your full search? How much data each of the search (summary index search and lookups) contains?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...