Solved: Error in 'IndexScopedSearch': The search failed.

Jaci · ‎05-25-2010

Running this search:

http://host1.com:8000/en-US/app/search/flashtimeline?q=search%20* | regex_raw%3D%22%25SYS-5-CONFIG_I%3A%22%0ALast%2024%20hours#about

results in:

Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1274231102.

It actually finds 10 matching events before it errors out.

What's wrong?

sideview · ‎05-26-2010

1) That error you're hitting in IndexScopedSearch is because when there are hundreds of thousands of events indexed in a single second, splunk will run into fundamental memory problems. At base the fix you need to make is in how one or more data inputs are configured, and the question is answered quite well over here: http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-...

2) This is not directly related to the error message, but I suspect there's also a missing space in your search as posted and maybe another typo? because running that permalink the search looks like this:

* | regex_raw="%SYS-5-CONFIG_I:"
Last 24 hours

there is no search command called regex_raw, although it seems obvious that you intended | regex _raw? And the newline character followed by 'Last 24 hours' in the search bar looks very strange indeed and I doubt its doing anything useful.

3) This is also not directly related to your error but assuming that you meant to run the rex command and run a regex on the _raw field, its worth mentioning that searching for "*" and then piping that to a rex command on _raw is always going to be an extremely inefficient way to go. search * means that the splunk index has to get every single event off disk and run that regex against it. So if there's any kind of search terms you can put in that initial search clause, it will allow splunk to do less work and that will pay off immensely in search performance.

View solution in original post

sideview · ‎05-26-2010

1) That error you're hitting in IndexScopedSearch is because when there are hundreds of thousands of events indexed in a single second, splunk will run into fundamental memory problems. At base the fix you need to make is in how one or more data inputs are configured, and the question is answered quite well over here: http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-...

2) This is not directly related to the error message, but I suspect there's also a missing space in your search as posted and maybe another typo? because running that permalink the search looks like this:

* | regex_raw="%SYS-5-CONFIG_I:"
Last 24 hours

there is no search command called regex_raw, although it seems obvious that you intended | regex _raw? And the newline character followed by 'Last 24 hours' in the search bar looks very strange indeed and I doubt its doing anything useful.

3) This is also not directly related to your error but assuming that you meant to run the rex command and run a regex on the _raw field, its worth mentioning that searching for "*" and then piping that to a rex command on _raw is always going to be an extremely inefficient way to go. search * means that the splunk index has to get every single event off disk and run that regex against it. So if there's any kind of search terms you can put in that initial search clause, it will allow splunk to do less work and that will pay off immensely in search performance.

Jaci · ‎05-28-2010

Thank you for you answer Nick

Error in 'IndexScopedSearch': The search failed.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases