Federated search limitations
A list of ways in which SPL2 searches behave differently for federated searches.
SPL2 behaves differently when it is used in federated searches. Most of these issues are differences that are not expected to be resolved in the near future.
| Limitation | Workaround |
|---|---|
The SPL2 json() function supports only fields with struct, array, and map data types. The json() function does not support string literal values or fields with string, numeric, Boolean, and null data types. |
No workaround. |
The LIKE clause returns 0 results when used on a partition field value with the string data type. |
Append an empty string before the LIKE function:
CODE
CODE
|
| SPL2 federated searches do not auto-round values to a specific number of decimal places. | Add a round() eval function to explicitly set the number of decimal places you want. For example, this search rounds results to 2 decimal places:
CODE
|
| Federated searches do not return results incrementally. Results appear only when the search completes. | No workaround. |
SPL2 federated searches that run the union command over remote datasets can return inconsistent results. By default, subsearches return a maximum of 10k results and have a maximum run time of 60 seconds. In high volume environments, such subsearches might time out before they complete. |
Use the LIMIT clause with FROM to reduce subsearch load. |
Results may vary across runs for SPL2 federated searches that match a number of results that exceed an explicit LIMIT clause (or the implicit limit set by the max_number_of_results setting, if no LIMIT clause is present). |
To get consistent results, add an ORDER BY clause to the search, or reduce the result set below the threshold. |