Splunk Search

Splunk Search results limit 4999

kc_prane
Path Finder

Hello, 

Currently, I am using the append command to combine two queries and tabulate the results, but I see only 4999 transactions. Is there any way I can get full results?  Thanks in advance!

Labels (1)
Tags (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

append and subsearches have limitations and limits defined in limits.conf, so you cannot override these, but that number seems an odd number. 

What is your search - there are often alternatives to append and a subsearch.

Can you share your search

0 Karma

kc_prane
Path Finder

Hi @bowesman Thanks for the reply Please find the below snap shots for the query. I had masked my base search.. fyi  my base search is same for the subsearch as well.

kc_prane_0-1699495212563.png

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, so a lot going on here...

You have two searches that look similar - not sure if they are searching the same data set, but in order to diagnose this you should do a number of things. You are also using the transaction command that also has limitations and can cause data not to appear if you hit those limitations - and you will not know about it.

I suggest you validate first search 1 and see how many results you expect and then run search 2 (the appended data) and determine how many you see then.

If you do not see 1 + 2 in the combined search, you are hitting some memory issue.

I suspect, but cannot say exactly, that you could remove both the append and the use of transaction and just use stats. 

Are the two masked search data sets the same or different?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kc_prane ,

using a screenshot and masking your search we cannot help you!

@bowesmana was saying that probably you don't need to use append and you can put both the searches in the main search, in this way you don't have any limit.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...