- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- IndexScopedSearch Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IndexScopedSearch Error
Hello Splunkers!
During search I get an error: "Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1361015487."
Which parameter in the limits.conf file should I increase to avoid this error?
Best regards,
Roman
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this same problem in an index taking various exchange log files. After reading this comment about the 100K events indexed in one second being a limitation, I started thinking about that. I have not had this problem before upgrading to splunk 6.1.5 (I was on 4.3.1 before). I looked at their timestamps and realized that these logs are granular only to the second. So I go in touch with the admin on that system, and suggested moving to advance logging, and turning-on millisecond timestamps. I had to re-do my props.conf for the new timestamp but that was trivial, and I am not experiencing this error any more when searching. When you make this change, you switch from monitoring where the log is and the name:
W3SVC1\u_ex*.log to AdvancedLogs\DEFAULT WEB SITE\Exchange_AdvLog_H*.log
I put this in my props.conf for the new format:
detect_trailing_nulls=auto
pulldown_type = true
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TZ = GMT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk returns searches in sub second order. You can not have more the 100K events indexed in one second. It is not tunable. Sorry.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this is hard limitation of Splunk?...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious as well - having the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious as well - running into the same situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is still not resolved...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
I found this answer earlier. But I do not quite understand what kind of setting it:
"parameter tunable based on memory available"
Increase value of parameter "max_mem_usage_mb" doesn't affect the Error...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think both are same . please check out [here][1]
[1]: http://splunk-base.splunk.com/answers/3397/indexscopedsearch-error-details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not have any ideas?
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
