Splunk Search

Why am I getting "Error fetching event from search peer" when searching for a specific sourcetype?

yAlff
Path Finder

Hi,
searching for a specific sourcetype I get the message

### ERROR FETCHING EVENT FROM SEARCH PEER ###

What can I do with this error? It only occurs at a certain time range (before sept 24, 7 pm).
Maybe someone has an idea about what this error tells me? I didn't find anything yet.

The whole search query is sourcetype=mysourcetype

Best regards,
Yannic

Tags (3)
1 Solution

pbrunel_splunk
Splunk Employee
Splunk Employee

Are any results returned at all by that search? Or do you only see that error when looking at earlier time buckets in the timeline? And is this a distributed search environment?

It could be that you're running up against the remote_timeline_max_size_mb property in limits.conf. This controls how much of the data returned by the search peer will actually get stored in the search's dispatch directory. The default is 100mb, and if the peer returns more than that, splunk will only actually store the latest 100mb worth. For all earlier events, when attempting to look at them by clicking on a bucket in the timeline, you'll get that message.

View solution in original post

pbrunel_splunk
Splunk Employee
Splunk Employee

Are any results returned at all by that search? Or do you only see that error when looking at earlier time buckets in the timeline? And is this a distributed search environment?

It could be that you're running up against the remote_timeline_max_size_mb property in limits.conf. This controls how much of the data returned by the search peer will actually get stored in the search's dispatch directory. The default is 100mb, and if the peer returns more than that, splunk will only actually store the latest 100mb worth. For all earlier events, when attempting to look at them by clicking on a bucket in the timeline, you'll get that message.

yAlff
Path Finder

Yes, this seems to be the solution. Only the "results" earlier than the last 2 days showed this error.
Yes, it is a distributed search environment.

Thanks for your answer. In the meatime all results started looking normal.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Please paste your search that failed.

0 Karma

yAlff
Path Finder

I added the query. But it was only sourcetype=mysourcetype. After this certain time, there are results shown.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...