Splunk Search

indexer search limits reached

kteng2024
Path Finder

Hi,

When i ran a command which will fetch the events from last 7 days from a host , splunk is throwing below message. Can anyone please explain in detail about this message.

[abcidx01] Events may not be returned in sub-second order due to search memory limits configured in limits.conf [search]:max_rawsize_perchunk. See search.log for more information.

0 Karma
1 Solution

woodcock
Esteemed Legend

It is saying that your events have subseconds (usually milliseconds) so instead of a time like Dec 25 2017 23:30:12, they are like Dec 25 2017 23:30:12.345. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds part (in my example, the Dec 25 2017 23:30:12 part) but may NOT be properly sorted for each second within the subseconds part (in my example, the .345 part. If this is important to you, be sure to add | sort 0 - _time as the first command after your base search to resort the events before further processing them.

View solution in original post

woodcock
Esteemed Legend

It is saying that your events have subseconds (usually milliseconds) so instead of a time like Dec 25 2017 23:30:12, they are like Dec 25 2017 23:30:12.345. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds part (in my example, the Dec 25 2017 23:30:12 part) but may NOT be properly sorted for each second within the subseconds part (in my example, the .345 part. If this is important to you, be sure to add | sort 0 - _time as the first command after your base search to resort the events before further processing them.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...