Re: Sub Search Limit

Kendo213 · ‎07-10-2018

Any ideas on how I can get around the 10k subsearch limit? This search is quick, and works fine, however I'm hitting a limit on the number of records being returned if I lengthen/broaden the search. I've been trying to think of ways of moving away from the subsearch, but I can't seem to get any other method to work.

<form>
  <label>Windows Update Reporting</label>
  <search id="baseSearch">
    <query>index=winevents sourcetype=WindowsUpdateLog (eventtype="Update_Successful" OR eventtype="Update_Failed")  AND package="$updatenumber$" | search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]
| dedup package, host 
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) 
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime) 
| eval lsuccess="Succesful at (".ltime.")" 
| eval lfail="Failed at (".ltime.")" 
| eval lstatus=if(status=="Success",lsuccess,lfail) 
| stats values(lstatus) as Status_History by host, package
| sort host,package 
| eval scount=mvcount(Status_History) 
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) 
| search Last_Status="$updatestatus$"
| fields Last_Status,package,host
</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="serverworkstation" searchWhenChanged="true">
      <label>Server/Workstation</label>
      <choice value="serverlist.csv">Servers</choice>
      <choice value="workstationlist.csv">Workstations</choice>
      <choice value="serverlist.csv | inputlookup workstationlist.csv append=t">All</choice>
      <default>serverlist.csv | inputlookup workstationlist.csv append=t</default>
    </input>
    <input type="dropdown" token="updatestatus" searchWhenChanged="true">
      <label>Update Status</label>
      <choice value="Success">Success</choice>
      <choice value="Failed">Failed</choice>
      <choice value="*">Success &amp; Failed</choice>
      <default>Failed</default>
    </input>
    <input type="text" token="hostdevice" searchWhenChanged="true">
      <label>Device (* for all)</label>
      <default>*</default>
    </input>
    <input type="text" token="updatenumber" searchWhenChanged="true">
      <label>KB# (* for all)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Update Statistics - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count by Last_Status</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showPercent">1</option>
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Update Details - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch"></search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Top 10 Failing Hosts - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by host | where FailedUpdates>0 | sort - FailedUpdates | head 10 </query>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries">0</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top 10 Failed Updates - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by package | where FailedUpdates>0 | sort - FailedUpdates | head 10</query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
</form>

woodcock · ‎07-10-2018

Change this:

| search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

To this:

AND [|inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

Also, it would be more clear if you added a | table host foo bar to the end of the subsearch.

Kendo213 · ‎07-10-2018

So I did get this to work, however it's extremely slow compared to my subsearch. Any thoughts on speeding it up? It takes 139 seconds for 7 days search, it was basically instant before.

Kendo213 · ‎07-10-2018

This doesn't return any results unfortunately

renjith_nair · ‎07-10-2018

Try |format at the end of the subsearch

Ref : https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

---
What goes around comes around. If it helps, hit it with Karma 🙂

Kendo213 · ‎07-10-2018

I think I've tried that in the past, and did just again. The issue is it will only return 10,000 statistics.

Sub Search Limit

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Join the Conversation

Sub Search Limit

The OpenTelemetry Certified Associate (OTCA) Exam

From Manual to Agentic: Level Up Your SOC at Cisco Live

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)