Hi everyone,
I am indexing 3000 large JSON events at a time in Splunk, but when I hit the Splunk query, it gives me below error:
"Events may not be returned in sub-second order due to search memory limits configured in limits.conf".
To resolve this issue, I added max_rawsize_perchunk = 400000000 in my /local/limits.conf as given in the below link:
https://answers.splunk.com/answers/90576/what-does-events-may-not-be-returned-in-sub-second-order-due-to-memory-pressure-mean.html
But the query is giving a very slow performance and dashboards are taking a long time to load the data. Are there any parameters which I can use to increase the dashboard performance? Or is there any alternative of max_rawsize_perchunk since it is reducing the dashboard performance to a great extent?
Thanks
... View more