subsearch default time range

Question

Are sub-searches, by default, constrained to the time range that is currently in the picker? Or are they run over "all time" unless you specify a range such as earliest=-24h latest=now?

I can't tell just by the speed of search execution because my search + subsearch appears to take a while to complete.

Accepted Answer

I believe that unless you specify earliest and latest, subsearches are run over the time range chosen in the time picker, but will only run for as long as the maxtime setting in limits.conf specifies.

Section of limits.conf:

[subsearch]
maxout = <integer>
* Maximum number of results to return from a subsearch.
* Defaults to 100.

maxtime = <integer>
* Maximum number of seconds to run a subsearch before finalizing
* Defaults to 60.

ttl = <integer>
* Time to cache a given subsearch's results.
* Defaults to 300.

Answer 2

1

Subsearches are run with the same time range as the time picker selects (which are passed as an API parameter to the search). If you set a time range in the search string, say with earliest=..., it will not be used by the subsearch, only the API parameter.

link

answered 16 Sep '10, 20:13

Stephen Sorkin ♦
8.1k●4●7
accept rate: 52%

subsearch default time range

Follow this question

Splunk Resources

Related questions