Splunk Search

Can we include maxtime(present in limits.conf) as an argument to format command to increase the subsearch execution time?

nikhiltyagi
Explorer

Hi,

I am fairly new to splunk. I am trying to execute a subsearch. As a simple debug this is what I tried:
Query - earliest=-2y eventtype="someevent" . this query returns 329,916 events, however when I try this search as a subsearch-
[search earliest=-2y eventtype="someevent"] This returns 587 results. So is it the due to the time limitation of subsearch ( which defaults to 60 secs). Also, is there some way to include maxtime for subsearch, like we can give maxresults using format command?
TIA.

0 Karma

stephane_cyrill
Builder

Hi TIA,
The limitation of the number of events can be due to the time limitation of the subsearch.
To change the maxtime or other subsearch attributes edit limits.conf in $SPLUNK_HOME/etc/system/local/
and this is how the stanza to modified looks like.

[subsearch]

maximum number of results to return from a subsearch

maxout = 10000

maximum number of seconds to run a subsearch before finalizing

maxtime = 60

time to cache a given subsearch's results

ttl = 300

NOTE:If the file do not exist you can create it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...