Solved: Results Limiting to 50,000: How to tweak my query ...

vishwa · ‎09-18-2023

I have below query:

|stats count(matchfield)

When i run this search query the statics values are limiting to 50,000
How to tweak my query to see complete results without restricting.

PickleRick · ‎09-18-2023

You're using the join command which spawns a subsearch. Subsearches have a limit on runtime as well as on returned results. You're hitting that limit. Try reworking your search so that you don't need to use join. It's often better to group your data with the stats command especially that both searches you're trying to join are from the same index.

As a side note, with a raw search, I don't think there will be a noticeable difference between TERM(Application) and just searching for the string Application - there would be a huge difference though if you reworked your search | stats into a tstats-based search.

View solution in original post

PickleRick · ‎09-18-2023

You're using the join command which spawns a subsearch. Subsearches have a limit on runtime as well as on returned results. You're hitting that limit. Try reworking your search so that you don't need to use join. It's often better to group your data with the stats command especially that both searches you're trying to join are from the same index.

As a side note, with a raw search, I don't think there will be a noticeable difference between TERM(Application) and just searching for the string Application - there would be a huge difference though if you reworked your search | stats into a tstats-based search.

Results Limiting to 50,000: How to tweak my query to see complete results without restricting?

using Splunk Enterprise

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform