Solved: Does the multisearch command have a limit like sub...

Masa · ‎11-12-2015

I'm curious about the limit of the multisearch command.

subsearch has limits in limits.conf.
Is there any limit for each search clause in the multisearch command like subsearch?

cpride_splunk · ‎11-13-2015

multisearch doesn't have the same type of limits as subsearches as it operates in a very different way. A "subsearch" generally runs during the parse phase of the search and has to finish and return results before the parse finishes. multisearch is a generating search command that will get distributed to the index layer and it alternates between the specified searches returning one packet of results at a time from each search. (There is some variance of the ordering here depending on if the search believes it is order dependent.) The main limitations of multisearch is that it requires that the searches be entirely distributable/streamable given that it is itself distributed.

View solution in original post

cpride_splunk · ‎11-13-2015

multisearch doesn't have the same type of limits as subsearches as it operates in a very different way. A "subsearch" generally runs during the parse phase of the search and has to finish and return results before the parse finishes. multisearch is a generating search command that will get distributed to the index layer and it alternates between the specified searches returning one packet of results at a time from each search. (There is some variance of the ordering here depending on if the search believes it is order dependent.) The main limitations of multisearch is that it requires that the searches be entirely distributable/streamable given that it is itself distributed.

Masa · ‎11-14-2015

Super! Thanks, Chris.

Does the multisearch command have a limit like subsearch?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms