https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/638910#M221387 <P>The problem is exactly what it says it is.&nbsp; The situation is EITHER:<BR />A: You are NOTlinbreaking the file correctly and each current event is actually MANY events<BR />B: You ARE linebreaking the file correctly and each current event really is HUUUUGE.<BR /><BR />In the case of the former, just fix it.&nbsp; In the case of the latter, you will have to reformat the original logs to ensure that each event is smaller the inescapable limit.&nbsp; We usually use cribl for this but it is more than we can talk about in here because there is bunch of depends.&nbsp; I am easy to find so reach out to me if you are in the latter boat.</P> Wed, 05 Apr 2023 21:53:19 GMT woodcock 2023-04-05T21:53:19Z https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/638880#M221366 <P>Hi Team</P> <P>I am getting below warning notification from indexers , can someone help how to clear this .</P> <P>&nbsp;</P> <P>"<SPAN>Search peer XXXX has the following message: Events are not displayed in the search results because _raw fields exceed the limit of 16777216 characters. Ensure that _raw fields are below the given character limit or switch to the CSV serialization format by setting 'results_serial_format=csv' in limits.conf. Switching to the CSV serialization format will reduce search performance</SPAN>"</P> Wed, 05 Apr 2023 19:23:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/638880#M221366 ssuluguri 2023-04-05T19:23:13Z https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/638910#M221387 <P>The problem is exactly what it says it is.&nbsp; The situation is EITHER:<BR />A: You are NOTlinbreaking the file correctly and each current event is actually MANY events<BR />B: You ARE linebreaking the file correctly and each current event really is HUUUUGE.<BR /><BR />In the case of the former, just fix it.&nbsp; In the case of the latter, you will have to reformat the original logs to ensure that each event is smaller the inescapable limit.&nbsp; We usually use cribl for this but it is more than we can talk about in here because there is bunch of depends.&nbsp; I am easy to find so reach out to me if you are in the latter boat.</P> Wed, 05 Apr 2023 21:53:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/638910#M221387 woodcock 2023-04-05T21:53:19Z https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/646012#M223646 <P>is there a way to identify what logs are those?</P> Wed, 07 Jun 2023 02:55:36 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/646012#M223646 JNgoho 2023-06-07T02:55:36Z https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/646013#M223647 <P>Hi</P><P>probably you could found those by searching for _internal? I haven’t have this kind of situation, sou I couldn’t give you a SPL for that. Another option is look your current search which has given that warning. Then just create search like</P><LI-CODE lang="markup">&lt;your base from previous search&gt; |eval len =length(_raw) | fields host source sourcetype len | where len &gt; &lt;max length from error message&gt;</LI-CODE><P>r. Ismo&nbsp;</P> Wed, 07 Jun 2023 04:38:29 GMT https://community.splunk.com/t5/Splunk-Search/Why-are-events-are-not-displayed-in-the-search-results-because/m-p/646013#M223647 isoutamo 2023-06-07T04:38:29Z