https://community.splunk.com/t5/Getting-Data-In/IndexScopedSearch-and-default-ingest-timestamp/m-p/391227#M69944 <P><STRONG>Splunk Enterprise</STRONG>. Version: <STRONG>7.2.3</STRONG>. Build: <STRONG>06d57c595b80</STRONG>.</P> <P>New dataset of a 70 MB log file. The timestamp of the log file was based on seconds the device operated, not a traditional month, day, year, etc... When I ingested the file to Splunk, it was assigned the default timestamp of the time of ingest since there was no discernible timestamp. I wanted to round the time to the nearest tenth of a second since further granularity is not needed at this point:<BR /> <CODE>index=main source="03182019.csv" <BR /> | eval appTime=round(time)<BR /> | stats c by appTime<BR /> | sort appTime</CODE></P> <P>When I try doing this search I receive this error: <BR /> <CODE>Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1553486400.</CODE><BR /> Understandably, this is a lot of events but <STRONG>is there no way to increase the limit</STRONG> so searches like this can be run? Currently, it only returns chunks of the data and there are large amounts of it missing. </P> Thu, 04 Apr 2019 20:17:18 GMT ellothere 2019-04-04T20:17:18Z https://community.splunk.com/t5/Getting-Data-In/IndexScopedSearch-and-default-ingest-timestamp/m-p/391227#M69944 <P><STRONG>Splunk Enterprise</STRONG>. Version: <STRONG>7.2.3</STRONG>. Build: <STRONG>06d57c595b80</STRONG>.</P> <P>New dataset of a 70 MB log file. The timestamp of the log file was based on seconds the device operated, not a traditional month, day, year, etc... When I ingested the file to Splunk, it was assigned the default timestamp of the time of ingest since there was no discernible timestamp. I wanted to round the time to the nearest tenth of a second since further granularity is not needed at this point:<BR /> <CODE>index=main source="03182019.csv" <BR /> | eval appTime=round(time)<BR /> | stats c by appTime<BR /> | sort appTime</CODE></P> <P>When I try doing this search I receive this error: <BR /> <CODE>Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1553486400.</CODE><BR /> Understandably, this is a lot of events but <STRONG>is there no way to increase the limit</STRONG> so searches like this can be run? Currently, it only returns chunks of the data and there are large amounts of it missing. </P> Thu, 04 Apr 2019 20:17:18 GMT https://community.splunk.com/t5/Getting-Data-In/IndexScopedSearch-and-default-ingest-timestamp/m-p/391227#M69944 ellothere 2019-04-04T20:17:18Z https://community.splunk.com/t5/Getting-Data-In/IndexScopedSearch-and-default-ingest-timestamp/m-p/512305#M86925 <P>We are experiencing this issue when creating summaries with more than 1M results...&nbsp;</P> Tue, 04 Aug 2020 08:54:46 GMT https://community.splunk.com/t5/Getting-Data-In/IndexScopedSearch-and-default-ingest-timestamp/m-p/512305#M86925 secrecys 2020-08-04T08:54:46Z