Splunk Search

need subsearch to return more than 10k results

jshaynes
Explorer

I have several use cases where i need to run a subsearch that is not limited to the default 10k results.

ex.
this search does not return any results:

eventtype=cisco_esa [search "Bounced by destination server with response" | fields mid] | transaction fields=mid | search abc@def.com

however this search returns results:

eventtype=cisco_esa [search abc@def.com | fields mid] | transaction fields=mid | search "Bounced by destination server with response"

I believe it is due to the subsearch size limit, because the abc@def.com field is being truncated from the subsearch results...

ie.
returns 100k results:

search "Bounced by destination server with response" | fields mid

returns 1k results:

search abc@def.com | fields mid

Alternatively, is there another way to structure the first command to get it working without using subsearch?

Tags (2)

Takajian
Builder

If you want to correlate big data, there is one of the other ways to use lookup table. Since lookup table is not limitation like 100K, it may be useful. But lookup table is required to be created before you execute search command to get your final result. You can create lookup table by using outputlookup command manually or scheduling.

http://docs.splunk.com/Documentation/Splunk/latest/User/CreateAndConfigureFieldLookups

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...