Splunk Search

Why are we getting "[subsearch]: Search auto-finalized after time limit (60 seconds) reached" error?

ddrillic
Ultra Champion

We get the error such as -

[subsearch]: Search auto-finalized after time limit(60 seconds) reached.

We changed the following for the search app while we use a different app -

$ cat limits.conf
[search]
# setting for an hour
maxtime = 216000

Any ideas?

1 Solution

ddrillic
Ultra Champion

We ended up having the following in limits.conf -

[subsearch]
maxout = 50000
maxtime = 3600
ttl = 300

[join]
subsearch_maxout = 50000
subsearch_maxtime = 3600
subsearch_timeout = 360

It works!!! ; - )

View solution in original post

ddrillic
Ultra Champion

We ended up having the following in limits.conf -

[subsearch]
maxout = 50000
maxtime = 3600
ttl = 300

[join]
subsearch_maxout = 50000
subsearch_maxtime = 3600
subsearch_timeout = 360

It works!!! ; - )

woodcock
Esteemed Legend

You could run a scheduled search to pull the hunk data in on a regular basis and then use loadjob in your subsearch to access the hunk data from the scheduled search (or ref if in a dashboard panel).

0 Karma

ddrillic
Ultra Champion

Interesting - we should try that...

0 Karma

woodcock
Esteemed Legend

You should show your subsearch; there must be something wrong with it taking so long. It needs optimization.

0 Karma

ddrillic
Ultra Champion

It's a Hunk one - huge data set ; -)

woodcock
Esteemed Legend

One of the very few GOOD reasons to resort to upping the timeout.

0 Karma

ddrillic
Ultra Champion

Very kind @woodcock ; -)

But, you see, why does the error message speak about 60 seconds after we upped the timeout interval to an hour?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

did you restart splunk after changing the configuration?

0 Karma

ddrillic
Ultra Champion

Oh yeah - we did.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...