![]() I had a vaguely similar problem a few weeks ago. In your query, just write join max0 SessionId in place of join SessionId. If you have a support contract, file a new case using the Splunk Support Portal at Support. The join command contains an option called maxint that is used to specify how many subsearch results can join with main search results. 02-17-2016 05:48 AM Hi, I wonder whether someone may be able to help me please. select a.firstname as first1, a.lastname as last1, b.firstname as first2, b.lastname as last2, b.date as date from myTable a inner join myTable b on a.id b.referrerid Which returns the following table, which gives exactly the data I need. time to cache a given subsearch's results. maximum number of seconds to run a subsearch before finalizing. Splunk Cloud Platform To change the maxmemusagemb setting, request help from Splunk Support. In sql I can do this quite easily with the following command. maximum number of results to return from a subsearch. By default, this threshold is set to 1000000 events. ![]() When the threshold is exceeded, a back pressure event is triggered to slow the collection of events. The problem is that the join only returns the first match even though the max=0 setting is set. Do not set maxmemusagemb0 as this removes the bounds to the amount of memory the eventstats command processor can use. The maximum amount of unacknowledged events kept in memory by the connector. It is impossible to join tables with more than 50k rows in splunk, so Im using some tricks, and these tricks are extremely annoying. Then if any rows that have that persistent_id have turned up in the last 2 days it joins them to the Applicant table and returns a table result with the audit id and the names It first selects any rows from the audit table that have a not null persistent_id that occurs in the table more than 20 times.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |