Hello, newbie here...
index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-1month@month latest=-0month@month | stats avg(value) by host
When I execute this search I get about 350.000 matching events and 40 results which I expect since I have 40 servers. Now I want to compare this result with that from the month before so I constructed a search with a subsearch:
index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-2month@month latest=-1month@month | eval ReportKey="Voorlaatste maand" | append [search index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-1month@month latest=-0month@month | eval ReportKey="Laatste maand" | stats avg(value) by reportkey
However executing this search results in "Subsearch produced 50000 results, truncating to maxout 50000". I understand from documentation I shouldn't fiddle with the settings in limits.conf, so:
How can I limit the amount of results in my subsearch without losing the information?
Thanks in advance for your time.
Bert