Splunk Search

Why is there an error of "Too many subsearches" when ingesting logs from haproxies running broken out by each API call?

aalvino73
New Member

Hi All,

Any help is greatly appreciated as I am of course in a bit of a time crunch.

We are currently using splunk to ingest our logs from haproxies running in our environment. The haproxies front a number of services we offer using API calls.

I am trying to generate a report that breaks down the average response time (RTT in the haproxy log) broken out by each API call.

I found I can do this using this search:
sourcetype=haproxy:http status=200 "API1?" | stats avg(rtt) as API1 |
appendcols [search "API2?" | stats avg(rtt) as API2] |
appendcols [search "API3?" | stats avg(rtt) as API3] |
appendcols [search "API4?" | stats avg(rtt) as API4] |
transpose

I then get the table that I need with the first column being the APIs and the second column being the average response time for each request to that API call.

The problem is that I have about 40 API calls that I need to generate in this report. When I get to 20 subsearches, then I get an error of "Too many subsearches".

Does anyone know if there is a way to workaround this?

Thank you very much.

Tony

0 Karma

aalvino73
New Member

@niketnilay - Thank you so much! That is very helpful! It worked perfectly and I was able to add the counts as well to the output which will help with us prioritizing where we should focus some optimization efforts.

Thanks!

Tony

0 Karma

niketn
Legend

@aalvino73 I am glad the solution worked. Do accept/up vote the answer 🙂

Do read the Splunk Documentation for Event Grouping and Correlation and Quick Tips for Search Optimization

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@aalvino73, you should try to avoid sub-searches until absolutely unnecessary. In your case your query can work without sub-searches. Try the following and confirm!

sourcetype=haproxy:http status=200  ("API1?" OR "API2?" OR "API3?")
| eval API=case(searchmatch("API1?"),"API1",
                searchmatch("API2?"),"API2",
                searchmatch("API3?"),"API3",
                true(),"unknown")
| stats avg(date_second) as Average by API
| eval Average=round(Average,2)

Also when you end-up using transpose or xyseries or untable commands to format the table output, you should also consider whether it is possible to construct the final output without using those.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...