topic How to get latest time from an index's subsearch in Splunk Search

How to get latest time from an index's subsearch

aa70627 — Fri, 25 Sep 2020 20:20:52 GMT

When i run this query it seems to run just fine as an adhoc search but when i schedule it, it throws the following error

[subsearch]: [subsearch]: [SERVER1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.

Here's the query. The issue is definitely not space on the drive, there's plenty of space. Also, if I hard code subsearch search index=idx2 earliest=-30d@d latest=now, the scheduled search will work fine but then i would have to add some additional lines of SPL to ensure we are using only the latest pull to avoid duplicate data which takes a little longer to run as well.

Re: How to get latest time from an index's subsearch

richgalloway — Fri, 25 Sep 2020 21:05:50 GMT

What information did you find in the search log?

Re: How to get latest time from an index's subsearch

aa70627 — Fri, 25 Sep 2020 23:41:36 GMT

Its extensively long. most of them were ignorable based on other splunk answers. This one seems to have caught my attention.

info : Your timerange was substituted based on your search string
info : [subsearch]: Your timerange was substituted based on your search string
warn : The limit has been reached for log messages in info.csv. 52 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit.

i used the solution from this one and it resolved my issue. I'm not seeing the error anymore in the past 5 scheduled searches - "Search process did not exit cleanly, exit_code=-1, description="exited with code -1"."

https://community.splunk.com/t5/Splunk-Search/After-updating-an-app-why-am-I-getting-search-error-quot-The/m-p/239462

solution

Add a limits $Splunk_home$/etc/app/{your_app}/local/limits.conf and add the stanza.

[search_info]
max_infocsv_messages =1000