maxresults in subquery -- documentation and product help banner differ

Comments

3 comments

  • Avatar
    Graham Watts

    Hey Sarah,

    Can you post a sanitized version of your query with the subquery here so I can take a look?


    0
    Comment actions Permalink
  • Avatar
    Sarah Schwanbeck

    _sourceCategory=(somecategory)
    | json auto
    | where
    [subquery from=(yyyy/mm/dd HH:MM:ss) to=(yyyy/mm/dd HH:MM:ss):
    _sourceCategory=(same cate as above)
    | json "type", "user_name", "user_agent" as type, user_name, squseragent
    | where type matches "s*" 
    | compose user_name maxresults=10000]
    | order by user_name
    | fields _time, type, user_name, client_name, user_agent

     

    Note: yyyy is a 4 digit year (2020

    mm is a 2 digit month

    dd is a 2 digit day of month

    HH is 2 digit, hour of 24-hour day

    MM is 2 digit, minute within hour

    ss is 2 digit second within minute

    0
    Comment actions Permalink
  • Avatar
    Graham Watts

    Hi Sarah,

    I have just tested and both of these will work:

    • | compose user_name maxresults=10000]
    • | compose user_name maxResults=10000]

    The warning that you are seeing is likely related to the number of user names you are returning over the time window of your query. It sounds like even after you add maxResults=10000, you are exceeding 10,000 users.


    0
    Comment actions Permalink

Please sign in to leave a comment.