topic Re: Search auto-cancelled in Splunk Search

Search auto-cancelled

hema_5757 — Wed, 19 Mar 2025 12:45:21 GMT

Hi All,

I have following Query

index=wineventlog
|eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S") |eval device_name = lower(Workstation_Name)|dedup device_name | table _time user device_name src_nt_host action ComputerName host SourceName Account_Name Security_ID Logon_Type TaskCategory Type app eventtype product vendor vendor_product Account_Domain dest dest_nt_domain dest_nt_host Error_Code EventCode EventType name source SourceName sourcetype src src_domain src_ip src_nt_domain src_port Virtual_Account LogName Logon_GUID Impersonation_Level

on Yesterday time filter

This search takes more than one hour and when I use this query to output search It process till 60% and then it is giving error like search auto-cancelled. Is there any way that we can handle time for processing this query. or how can I get data in other ways.

If I give shorted timeframe like last 60 min time takes almost 5 min and I can get data. Please suggest.

Re: Search auto-cancelled

livehybrid — Wed, 19 Mar 2025 13:26:18 GMT

Hi @hema_5757

There could be a number of reasons your search is auto-cancelling:

1) The SH does not have enough RAM. Can you confirm how much RAM the SH has, and how much is free during the search?

2) Certain savedsearches.conf properties can affect the amount of time and/or number of results that might return (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf) such as:

dispatch.max_count = <integer> * The maximum number of results before finalizing the search. * Defaults to 500000. dispatch.max_time = <integer> * Indicates the maximum amount of time (in seconds) before finalizing the search. * Defaults to 0. dispatch.auto_cancel = <integer> * Specifies the amount of inactive time, in seconds, after which the job is automatically canceled. * 0 means to never auto-cancel the job. * Default: 0

Please review these in your environment to see if this could be impacting.

3) Workload management (WLM) - Are your searches subject to WLM policies?

4) Check the job inspector, if you look at the search.log from within the job inspector for things like cancel/fail/error etc and see if there is more information that you can share with us it might help investigate further.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Re: Search auto-cancelled

gcusello — Wed, 19 Mar 2025 13:28:42 GMT

Hi @hema_5757 ,

your search is very long, so the only way to avoid timeouts like your is to send the job in background [Job > Send Job to background].
eventually adding an email to receive the completion of the job.

Then remember that you have the limit of 10,000 results, so maybe it's better to use more filters if you have too many results.

Ciao.

Giuseppe

Re: Search auto-cancelled

hema_5757 — Wed, 19 Mar 2025 13:41:41 GMT

The Search process around 8K results in 400M events

Re: Search auto-cancelled

livehybrid — Wed, 19 Mar 2025 13:44:51 GMT

Hi @hema_5757 did you see my response with other options under the other reply?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will