Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my subsearch maxtime setting in limits.conf have no effect?

gesman
Communicator
‎07-07-2015 04:05 PM

I have /my-app/local/limits.conf with the following content:

[subsearch]
maxtime = 600

[join]
subsearch_maxtime = 600
subsearch_timeout = 800

Yet when search finished - job inspector still claims that:

 [subsearch]: Search auto-finalized after time limit (60 seconds) reached.

Does this means the setting is ignored, or does this mean that this message is actually incorrect?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-07-2015 04:25 PM

Make sure you've restarted after making the changes, and run these two to check that Splunk understands your configuration:

./bin/splunk cmd btool --debug limits list subsearch
./bin/splunk cmd btool --debug limits list join
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 10:13 AM

Side note: Use | format to avoid having to assemble the search string manually.

If you're on 6.2.x, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then run your search again with the ip-subsearch and look at the debug output at the top of the job inspector. That should present you with a complete list of IPs used for filtering.

0 Karma
Reply

gesman
Communicator
‎07-08-2015 07:19 AM

These commands shows that Splunk honors the limits i set in limits.conf. Which means that ...time limit (60 seconds) reached. message is a bug?

Although I did experiment by comparing results of two queries - one using subsearch and another one using hardcoded search using values that subsearch suppose to return:
index=x page=hello [search index=x user=joe| dedup ip | fields ip] | stats c - this returned c=150
with:
index=x user=joe | fields ip | dedup ip | mvcombine ip | eval ip="(ip=" + mvjoin(ip, " OR ip=") + ")" | table ip
- this returned fragment of search query: (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...)
- So i copy/pasted this fragment and rerun main query like this:
index=x page=hello (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...) | stats c - this returned c=200

Which means query with subsearch still missed something, even with high limits value set?

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...