Splunk Search

Why does my subsearch maxtime setting in limits.conf have no effect?

gesman
Communicator

I have /my-app/local/limits.conf with the following content:

[subsearch]
maxtime = 600

[join]
subsearch_maxtime = 600
subsearch_timeout = 800

Yet when search finished - job inspector still claims that:

 [subsearch]: Search auto-finalized after time limit (60 seconds) reached.

Does this means the setting is ignored, or does this mean that this message is actually incorrect?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Make sure you've restarted after making the changes, and run these two to check that Splunk understands your configuration:

./bin/splunk cmd btool --debug limits list subsearch
./bin/splunk cmd btool --debug limits list join

martin_mueller
SplunkTrust
SplunkTrust

Side note: Use | format to avoid having to assemble the search string manually.

If you're on 6.2.x, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then run your search again with the ip-subsearch and look at the debug output at the top of the job inspector. That should present you with a complete list of IPs used for filtering.

0 Karma

gesman
Communicator

These commands shows that Splunk honors the limits i set in limits.conf. Which means that ...time limit (60 seconds) reached. message is a bug?

Although I did experiment by comparing results of two queries - one using subsearch and another one using hardcoded search using values that subsearch suppose to return:
index=x page=hello [search index=x user=joe| dedup ip | fields ip] | stats c - this returned c=150
with:
index=x user=joe | fields ip | dedup ip | mvcombine ip | eval ip="(ip=" + mvjoin(ip, " OR ip=") + ")" | table ip
- this returned fragment of search query: (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...)
- So i copy/pasted this fragment and rerun main query like this:
index=x page=hello (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...) | stats c - this returned c=200

Which means query with subsearch still missed something, even with high limits value set?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...