Sub Search Limit

Kendo213 · ‎07-10-2018

Any ideas on how I can get around the 10k subsearch limit? This search is quick, and works fine, however I'm hitting a limit on the number of records being returned if I lengthen/broaden the search. I've been trying to think of ways of moving away from the subsearch, but I can't seem to get any other method to work.

<form>
  <label>Windows Update Reporting</label>
  <search id="baseSearch">
    <query>index=winevents sourcetype=WindowsUpdateLog (eventtype="Update_Successful" OR eventtype="Update_Failed")  AND package="$updatenumber$" | search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]
| dedup package, host 
| eval status=if(eventtype=="Update_Successful", "Success", if(eventtype=="Update_Failed", "Failed", "NA")) 
| stats latest(_time) as ltime, count by status, host, package
| convert ctime(ltime) 
| eval lsuccess="Succesful at (".ltime.")" 
| eval lfail="Failed at (".ltime.")" 
| eval lstatus=if(status=="Success",lsuccess,lfail) 
| stats values(lstatus) as Status_History by host, package
| sort host,package 
| eval scount=mvcount(Status_History) 
| eval Last_Status=if(scount>1,"Success",if(match(Status_History, "Success*"),"Success","Failed")) 
| search Last_Status="$updatestatus$"
| fields Last_Status,package,host
</query>
    <earliest>$field1.earliest$</earliest>
    <latest>$field1.latest$</latest>
  </search>
  <fieldset submitButton="false">
    <input type="time" token="field1" searchWhenChanged="true">
      <label>Time Range</label>
      <default>
        <earliest>-15m</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="serverworkstation" searchWhenChanged="true">
      <label>Server/Workstation</label>
      <choice value="serverlist.csv">Servers</choice>
      <choice value="workstationlist.csv">Workstations</choice>
      <choice value="serverlist.csv | inputlookup workstationlist.csv append=t">All</choice>
      <default>serverlist.csv | inputlookup workstationlist.csv append=t</default>
    </input>
    <input type="dropdown" token="updatestatus" searchWhenChanged="true">
      <label>Update Status</label>
      <choice value="Success">Success</choice>
      <choice value="Failed">Failed</choice>
      <choice value="*">Success &amp; Failed</choice>
      <default>Failed</default>
    </input>
    <input type="text" token="hostdevice" searchWhenChanged="true">
      <label>Device (* for all)</label>
      <default>*</default>
    </input>
    <input type="text" token="updatenumber" searchWhenChanged="true">
      <label>KB# (* for all)</label>
      <default>*</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <title>Update Statistics - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count by Last_Status</query>
        </search>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.showPercent">1</option>
        <option name="charting.drilldown">all</option>
      </chart>
    </panel>
    <panel>
      <table>
        <title>Update Details - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch"></search>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <chart>
        <title>Top 10 Failing Hosts - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by host | where FailedUpdates>0 | sort - FailedUpdates | head 10 </query>
        </search>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.chart">bar</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.layout.splitSeries">0</option>
      </chart>
    </panel>
    <panel>
      <chart>
        <title>Top 10 Failed Updates - (Devices: $hostdevice$) (KB: $updatenumber$) (Update Status: $updatestatus$)</title>
        <search base="baseSearch">
          <query>stats count(eval(Last_Status="Failed")) as FailedUpdates by package | where FailedUpdates>0 | sort - FailedUpdates | head 10</query>
        </search>
        <option name="charting.chart">pie</option>
      </chart>
    </panel>
  </row>
</form>

woodcock · ‎07-10-2018

Change this:

| search[inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

To this:

AND [|inputlookup $serverworkstation$ | rename cn as host | search host="$hostdevice$" ]

Also, it would be more clear if you added a | table host foo bar to the end of the subsearch.

Kendo213 · ‎07-10-2018

So I did get this to work, however it's extremely slow compared to my subsearch. Any thoughts on speeding it up? It takes 139 seconds for 7 days search, it was basically instant before.

Kendo213 · ‎07-10-2018

This doesn't return any results unfortunately

renjith_nair · ‎07-10-2018

Try |format at the end of the subsearch

Ref : https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults

---
What goes around comes around. If it helps, hit it with Karma 🙂

Kendo213 · ‎07-10-2018

I think I've tried that in the past, and did just again. The issue is it will only return 10,000 statistics.

Sub Search Limit

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?