https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14255#M1487 <P>1) That error you're hitting in IndexScopedSearch is because when there are hundreds of thousands of events indexed in a single second, splunk will run into fundamental memory problems. At base the fix you need to make is in how one or more data inputs are configured, and the question is answered quite well over here: <A href="http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond" target="test_blank">http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond</A> </P><P>2) This is not directly related to the error message, but I suspect there's also a missing space in your search as posted and maybe another typo? because running that permalink the search looks like this: </P> <PRE><CODE>* | regex_raw="%SYS-5-CONFIG_I:" Last 24 hours </CODE></PRE> <P>there is no search command called <CODE>regex_raw</CODE>, although it seems obvious that you intended <CODE>| regex _raw</CODE>? And the newline character followed by 'Last 24 hours' in the search bar looks very strange indeed and I doubt its doing anything useful. </P> <P>3) This is also not directly related to your error but assuming that you meant to run the <CODE>rex</CODE> command and run a regex on the _raw field, its worth mentioning that searching for "*" and then piping that to a rex command on _raw is always going to be an extremely inefficient way to go. search * means that the splunk index has to get every single event off disk and run that regex against it. So if there's any kind of search terms you can put in that initial search clause, it will allow splunk to do less work and that will pay off immensely in search performance. </P> Wed, 26 May 2010 12:49:48 GMT sideview 2010-05-26T12:49:48Z https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14254#M1486 <P>Running this search:</P> <P><A href="http://host1.com:8000/en-US/app/search/flashtimeline?q=search%20" rel="nofollow">http://host1.com:8000/en-US/app/search/flashtimeline?q=search%20</A>* | regex_raw%3D%22%25SYS-5-CONFIG_I%3A%22%0ALast%2024%20hours#about</P> <P>results in:</P> <P>Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1274231102.</P> <P>It actually finds 10 matching events before it errors out.</P> <P>What's wrong?</P> Wed, 26 May 2010 04:55:33 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14254#M1486 Jaci 2010-05-26T04:55:33Z https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14255#M1487 <P>1) That error you're hitting in IndexScopedSearch is because when there are hundreds of thousands of events indexed in a single second, splunk will run into fundamental memory problems. At base the fix you need to make is in how one or more data inputs are configured, and the question is answered quite well over here: <A href="http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond" target="test_blank">http://splunk-base.splunk.com/answers/303/whats-max-events-i-can-have-timestamped-with-a-particular-second-millisecond</A> </P><P>2) This is not directly related to the error message, but I suspect there's also a missing space in your search as posted and maybe another typo? because running that permalink the search looks like this: </P> <PRE><CODE>* | regex_raw="%SYS-5-CONFIG_I:" Last 24 hours </CODE></PRE> <P>there is no search command called <CODE>regex_raw</CODE>, although it seems obvious that you intended <CODE>| regex _raw</CODE>? And the newline character followed by 'Last 24 hours' in the search bar looks very strange indeed and I doubt its doing anything useful. </P> <P>3) This is also not directly related to your error but assuming that you meant to run the <CODE>rex</CODE> command and run a regex on the _raw field, its worth mentioning that searching for "*" and then piping that to a rex command on _raw is always going to be an extremely inefficient way to go. search * means that the splunk index has to get every single event off disk and run that regex against it. So if there's any kind of search terms you can put in that initial search clause, it will allow splunk to do less work and that will pay off immensely in search performance. </P> Wed, 26 May 2010 12:49:48 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14255#M1487 sideview 2010-05-26T12:49:48Z https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14256#M1488 <P>Thank you for you answer Nick</P> Fri, 28 May 2010 22:09:36 GMT https://community.splunk.com/t5/Splunk-Search/Error-in-IndexScopedSearch-The-search-failed/m-p/14256#M1488 Jaci 2010-05-28T22:09:36Z