Hi,
searching for a specific sourcetype I get the message
### ERROR FETCHING EVENT FROM SEARCH PEER ###
What can I do with this error? It only occurs at a certain time range (before sept 24, 7 pm).
Maybe someone has an idea about what this error tells me? I didn't find anything yet.
The whole search query is sourcetype=mysourcetype
Best regards,
Yannic
Are any results returned at all by that search? Or do you only see that error when looking at earlier time buckets in the timeline? And is this a distributed search environment?
It could be that you're running up against the remote_timeline_max_size_mb property in limits.conf. This controls how much of the data returned by the search peer will actually get stored in the search's dispatch directory. The default is 100mb, and if the peer returns more than that, splunk will only actually store the latest 100mb worth. For all earlier events, when attempting to look at them by clicking on a bucket in the timeline, you'll get that message.
Are any results returned at all by that search? Or do you only see that error when looking at earlier time buckets in the timeline? And is this a distributed search environment?
It could be that you're running up against the remote_timeline_max_size_mb property in limits.conf. This controls how much of the data returned by the search peer will actually get stored in the search's dispatch directory. The default is 100mb, and if the peer returns more than that, splunk will only actually store the latest 100mb worth. For all earlier events, when attempting to look at them by clicking on a bucket in the timeline, you'll get that message.
Yes, this seems to be the solution. Only the "results" earlier than the last 2 days showed this error.
Yes, it is a distributed search environment.
Thanks for your answer. In the meatime all results started looking normal.
Please paste your search that failed.
I added the query. But it was only sourcetype=mysourcetype. After this certain time, there are results shown.