Hi,
I have a search query which includes subsearch as follows:
host="sharepoint" | rex field=msg "\sMore\sinformation:\s(?<EventCode>[\dxA-F]+)" | rename EventCode as output | eventstats count by output | sort -count | dedup output | append [search host="database" | rename EventCode as output | eventstats count by output | dedup output | sort -count | head 5] | table output count | sort -count
When i run this search it says :
[subsearch]: Search auto-finalized after time limit (30 seconds) reached
I checked my limit.conf file and its subsearch parameters as
[subsearch]
maxout = 10000
maxtime = 60
ttl = 300
So what's needs to be changed ? Is there are any changes to be made in limits.conf file? How to come out of this problem.Also here my search is taking to long to process(taking more time).
Thank you