Hi,
When i ran a command which will fetch the events from last 7 days from a host , splunk is throwing below message. Can anyone please explain in detail about this message.
[abcidx01] Events may not be returned in sub-second order due to search memory limits configured in limits.conf [search]:max_rawsize_perchunk. See search.log for more information.
It is saying that your events have subseconds
(usually milliseconds) so instead of a time like Dec 25 2017 23:30:12
, they are like Dec 25 2017 23:30:12.345
. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds
part (in my example, the Dec 25 2017 23:30:12
part) but may NOT be properly sorted for each second within the subseconds
part (in my example, the .345
part. If this is important to you, be sure to add | sort 0 - _time
as the first command after your base search to resort the events before further processing them.
It is saying that your events have subseconds
(usually milliseconds) so instead of a time like Dec 25 2017 23:30:12
, they are like Dec 25 2017 23:30:12.345
. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds
part (in my example, the Dec 25 2017 23:30:12
part) but may NOT be properly sorted for each second within the subseconds
part (in my example, the .345
part. If this is important to you, be sure to add | sort 0 - _time
as the first command after your base search to resort the events before further processing them.