Retrieve the Data from multiple searches

Shashank_87 · ‎06-13-2018

Hi, I have something like this -
Search 1 - for media customers
- Summary Index A - contains data from 20th May till now - for media customers
- Lookup 1 - contains data from 20-Feb to 20th May
- Lookup 2 - contains data from 21-Dec to 19th Feb

Search 2 - for mobile customers
Summary Index B - contains data from 20th May till now
Lookup 1 - contains data from 20-Feb to 20th May
Lookup 2 - contains data from 21-Dec to 19th Feb

Now I have to combine the results of these 2 searches by removing all the duplicates. I am using append command with dedup, limit=0 and all but I am getting this in the Job inspector. what possibly could the the reason for truncating the sub search rows?
[subsearch] : Search Processor: Subsearch produced 51402 results, truncating max out to 50000

somesoni2 · ‎06-13-2018

The append uses subsearch and that has a limit of max rows to return of 50000. Whats your full search? How much data each of the search (summary index search and lookups) contains?

Retrieve the Data from multiple searches

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Join the Conversation

Retrieve the Data from multiple searches

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives