Splunk Search

[subsearch]: Subsearch produced 12959 results, truncating to maxout 10000.

hylee
Explorer

When I put below,

sourcetype="splunk_page_request" NOT [| inputlookup nmc_crawlers | fields ip_address]

I got a message below,

[subsearch]: Subsearch produced 12959 results, truncating to maxout 10000.

How can I solve this?

1 Solution

linu1988
Champion

By default the subsearch result set limit is set to 10000. You can increase it in the limits.conf file. But it's not recommended to go beyond 10500. I have not tried to modify it to greater value but if its not working then need to think of something else. May be you can use Join which has a greater sub search value.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 10000.

Please refer:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Limitsconf

View solution in original post

krugger
Communicator

The solution in the comments is valid, but you can also try:

sourcetype="splunk_page_request" NOT [| inputlookup nmc_crawlers | dedup ip_address |fields ip_address]

This will try to deduplicate the entries with the same IP in the nmc_crawlers lookup, hence reducing the number of returned address.

linu1988
Champion

By default the subsearch result set limit is set to 10000. You can increase it in the limits.conf file. But it's not recommended to go beyond 10500. I have not tried to modify it to greater value but if its not working then need to think of something else. May be you can use Join which has a greater sub search value.

maxout =
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 10000.

Please refer:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Limitsconf

hylee
Explorer

Thank you so much!! I changed maxout to 13000 and it worked.

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...