Splunk Search

Sub Search Limit


Any ideas on how I can get around the 10k subsearch limit? This search is quick, and works fine, however I'm hitting a limit on the number of records being returned if I lengthen/broaden the search. I've been trying to think of ways of moving away from the subsearch, but I can't seem to get any other method to work.

  <label>Windows Update Reporting</label>
  <search id="baseSearch">
    <query>index=winevents sourcetype=WindowsUpdateLog (eventtype="Update_Successful" OR eventtype="Update_Failed")  AND package="$updatenumber$" | search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]
| dedup package, host 
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) 
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime) 
| eval lsuccess="Succesful at (".ltime.")" 
| eval lfail="Failed at (".ltime.")" 
| eval lstatus=if(status=="Success",lsuccess,lfail) 
| stats values(lstatus) as Status_History by host, package
| sort host,package 
| eval scount=mvcount(Status_History) 
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) 
| search Last_Status="$updatestatus$"
| fields Last_Status,package,host
  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>Time Range</label>
    <input type="dropdown" token="serverworkstation" searchWhenChanged="true">
      <choice value="serverlist.csv">Servers</choice>
      <choice value="workstationlist.csv">Workstations</choice>
      <choice value="serverlist.csv | inputlookup workstationlist.csv append=t">All</choice>
      <default>serverlist.csv | inputlookup workstationlist.csv append=t</default>
    <input type="dropdown" token="updatestatus" searchWhenChanged="true">
      <label>Update Status</label>
      <choice value="Success">Success</choice>
      <choice value="Failed">Failed</choice>
      <choice value="*">Success &amp; Failed</choice>
    <input type="text" token="hostdevice" searchWhenChanged="true">
      <label>Device (* for all)</label>
    <input type="text" token="updatenumber" searchWhenChanged="true">
      <label>KB# (* for all)</label>
        <title>Update Statistics - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count by Last_Status</query>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showPercent">1</option>
        <option name="charting.drilldown">all</option>
        <title>Update Details - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch"></search>
        <title>Top 10 Failing Hosts - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by host | where FailedUpdates>0 | sort - FailedUpdates | head 10 </query>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries">0</option>
        <title>Top 10 Failed Updates - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by package | where FailedUpdates>0 | sort - FailedUpdates | head 10</query>
        <option name="charting.chart">pie</option>
Tags (1)
0 Karma

Esteemed Legend

Change this:

| search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

To this:

AND [|inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

Also, it would be more clear if you added a | table host foo bar to the end of the subsearch.

0 Karma


So I did get this to work, however it's extremely slow compared to my subsearch. Any thoughts on speeding it up? It takes 139 seconds for 7 days search, it was basically instant before.

0 Karma


This doesn't return any results unfortunately

0 Karma


Try |format at the end of the subsearch

Ref : https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma


I think I've tried that in the past, and did just again. The issue is it will only return 10,000 statistics.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...