Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- subsearch limit
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akawacz
Path Finder
11-30-2015
08:46 AM
Hi,
How can i overcome subsearch limitation. I do not want to change limit in conf files. I have read that this can cause instability.
In my below search I want to find differences between two data sets. My subsearch is returing just 50.000 rows that is why search not working properly
index=A earliest=-45d@| dedup IM_ID
|eval TYPE_OF_REPORT="Y"
|eval HASH=md5(ifnull(ASSIGNEE,"Empty").ifnull(ID,"Empty")
| table ID ASSIGNEE HASH TYPE_OF_REPORT
|append [search index = B|eval TYPE_OF_REPORT="X"| table ID ASSIGNEE HASH TYPE_OF_REPORT] |stats values(*) AS * dc(TYPE_OF_REPORT) as t by HASH |where t=1 and match(TYPE_OF_REPORT,"Y").
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-30-2015
09:47 AM
How about something like this (not tested)
(index-A OR index=B) | dedup IM_ID index
| eval hash=md5(ifnull(ASSIGNEE,"Empty").ifnull(ID,"Empty")
| streamstats window=1 list(eval(if(index="A", "Y", "X"))) as TYPE_OF_REPORT by index
| table ID ASSIGNEE HASH TYPE_OF_REPORT
| stats values(*) as * dc(TYPE_OF_REPORT) as t by hash
| where t=1 and match(TYPE_OF_REPORT, "Y")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
11-30-2015
09:47 AM
How about something like this (not tested)
(index-A OR index=B) | dedup IM_ID index
| eval hash=md5(ifnull(ASSIGNEE,"Empty").ifnull(ID,"Empty")
| streamstats window=1 list(eval(if(index="A", "Y", "X"))) as TYPE_OF_REPORT by index
| table ID ASSIGNEE HASH TYPE_OF_REPORT
| stats values(*) as * dc(TYPE_OF_REPORT) as t by hash
| where t=1 and match(TYPE_OF_REPORT, "Y")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
akawacz
Path Finder
12-01-2015
05:26 AM
Hi
You gave me idea with combaning indexs by OR.
I have used eval with If instead of streamstats.
eval TYPE_OF_REPORT=if(index=="A","X","Y")
Thank you
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
