Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we include maxtime(present in limits.conf) as an argument to format command to increase the subsearch execution time?

nikhiltyagi
Explorer
‎12-15-2014 05:50 PM

Hi,

I am fairly new to splunk. I am trying to execute a subsearch. As a simple debug this is what I tried:
Query - earliest=-2y eventtype="someevent" . this query returns 329,916 events, however when I try this search as a subsearch-
[search earliest=-2y eventtype="someevent"] This returns 587 results. So is it the due to the time limitation of subsearch ( which defaults to 60 secs). Also, is there some way to include maxtime for subsearch, like we can give maxresults using format command?
TIA.

0 Karma
Reply

stephane_cyrill
Builder
‎12-16-2014 04:57 AM

Hi TIA,
The limitation of the number of events can be due to the time limitation of the subsearch.
To change the maxtime or other subsearch attributes edit limits.conf in $SPLUNK_HOME/etc/system/local/
and this is how the stanza to modified looks like.

[subsearch]

maximum number of results to return from a subsearch

maxout = 10000

maximum number of seconds to run a subsearch before finalizing

maxtime = 60

time to cache a given subsearch's results

ttl = 300

NOTE:If the file do not exist you can create it.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...