Subsearch limits pre-post filtering?

quadrant8 · ‎06-18-2024

I've seen the documentation which says "by default subsearches return a maximum of 10,000 results and have a maximum runtime of 60 seconds", but it's unclear if that limit is before or after applying transforms.

e.g. does it apply to the base search (e.g. the output of index=wineventlogs AND ComputerName=MyDesktop is capped at 10k) or if the filtered results (e.g. if I add conditions and filter to reduce the final dataset) is where any results over 10k will be dropped?

gcusello · ‎06-18-2024

Hi @quadrant8 ,

10k events is the limit of subsearch results: if you run the subsearch as a main search, without anithing, have you more or less of 10K events?

if more than 10K events, you have to find a different solution (e.g. putting the subsearch in the main search with an OR condition, defining a correlation key and checking that the correlation key is present in both the searches.

Ciao.

Giuseppe

Subsearch limits pre-post filtering?

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Subsearch limits pre-post filtering?

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability