append and max results (50000)

johnnymc · ‎09-15-2011

i'm trying to merge results from two searches to join various values from the search field.

i see that the latter search is stuck at 50000 results, whatever or not i append maxout=500000 and maxtime=86400 .

earliest="-w@w+1d" latest="-d@w-1d"  foo | append maxtime=14400 maxout=5000000 [search earliest="-w@w+1d" bar ].

i'm still getting 50000 results only from the bar search.
any clues?
i'd prefer not to modify conf files.

thanks

yannK · ‎03-01-2012

For the append command, you have 2 setting that controls the limit.

the hard limit in limits.conf
[searchresults]
maxresultrows = 50000
the soft limit maxout parameter in the append (default to 50000 too)
see http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Append

You can use maxout to reduce the number of results to append but not to go above the maxresultrows limit.

[searchresults] maxresultrows = 50000 and index=* | head 100 | append maxout=10000 [ search index=* ] will return 10100 events

[searchresults] maxresultrows = 50000
and
index=* | head 100 | append maxout=100000000000 [ search index=* ]
will return only 50100 events.

bbingham · ‎09-15-2011

I think you're hitting the hard limit in limits.conf for a join. I don't think there is a way around this without modifying the conf files.

[join]
subsearch_maxout = 50000
subsearch_maxtime = 60
subsearch_timeout = 120

johnnymc · ‎09-27-2011

nope. modfying join doesn't work.
it seems it has something to do with:

[searchresults]
* This stanza controls search results for a variety of Splunk search commands.

maxresultrows = <integer>