Solved: Is it possible to use the same subsearch twice in ...

pduflot · ‎08-03-2016

Hello,

Is it possible to use the same subsearch twice in a search? Of course without having Splunk to execute the search twice, but having it caching the results.

inventsekar · ‎08-03-2016

i think, its possible to use the same subsearch twice in a query.
also, the limits.conf has a parameter "ttl" - Time to cache a given subsearch's results, in seconds, default value 300 seconds.

https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Aboutsubsearches
on Splunk Enterprise, limits.conf
[subsearch]
maxout =

Maximum number of results to return from a subsearch.
This value cannot be greater than or equal to 10500.
Defaults to 10000.
maxtime =

Maximum number of seconds to run a subsearch before finalizing
Defaults to 60.
ttl =

Time to cache a given subsearch's results, in seconds.
Do not set this below 120 seconds.
Defaults to 300.

View solution in original post

inventsekar · ‎08-03-2016

i think, its possible to use the same subsearch twice in a query.
also, the limits.conf has a parameter "ttl" - Time to cache a given subsearch's results, in seconds, default value 300 seconds.

https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Aboutsubsearches
on Splunk Enterprise, limits.conf
[subsearch]
maxout =

Maximum number of results to return from a subsearch.
This value cannot be greater than or equal to 10500.
Defaults to 10000.
maxtime =

Maximum number of seconds to run a subsearch before finalizing
Defaults to 60.
ttl =

Time to cache a given subsearch's results, in seconds.
Do not set this below 120 seconds.
Defaults to 300.

Is it possible to use the same subsearch twice in a search?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms