Hi I am running a query (Time span 24hrs) sourcetype=ABC Application=XXXX Type=XXXX | chart ... | join .. [search sourcetype=ABC | ...] I am getting 2 problems, 1. Search query truncated to results 50000 2. subsearch Search auto-finalized after time limit (30 seconds) reached.
My doubt is Is the search query checking the total events of sourcetype or total events after checking sourcetype, Application and Type?
Is it the command join is the problem in the above search for time limit? Is it possible to do anything without modifying limits.conf