Hi,
I am fairly new to splunk. I am trying to execute a subsearch. As a simple debug this is what I tried:
Query - earliest=-2y eventtype="someevent" . this query returns 329,916 events, however when I try this search as a subsearch-
[search earliest=-2y eventtype="someevent"] This returns 587 results. So is it the due to the time limitation of subsearch ( which defaults to 60 secs). Also, is there some way to include maxtime for subsearch, like we can give maxresults using format command?
TIA.
Hi TIA,
The limitation of the number of events can be due to the time limitation of the subsearch.
To change the maxtime or other subsearch attributes edit limits.conf in $SPLUNK_HOME/etc/system/local/
and this is how the stanza to modified looks like.
[subsearch]
maxout = 10000
maxtime = 60
ttl = 300
NOTE:If the file do not exist you can create it.