https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267924#M80605 <P>Greetings,</P> <P>Cribbing this from some Support folks who have run into this before. There is a setting that can be updated to alleviate the message.</P> <P>$SPLUNK_HOME/etc/system/local/limits.conf (or wherever you maintain infrastructure changes like this, but definitely not in etc/system/default/limits.conf!)</P> <P>[search] <BR /> max_rawsize_perchunk = </P> <P>You need to restart Splunk for your change to take effect. </P> <P>If you have enough memory available that you feel comfortable allowing searches to use more of it, you can set 0 as unlimited. We don't have any recommendation threshold about max_rawsize_perchunk, as it depends on how much memory is available on the hosts for the processes to consume. Default is 100MB. If you don't feel comfortable with unlimited, double it until the error message disappears. It's a little bit of trial and error, yes.</P> Tue, 29 Sep 2020 10:51:16 GMT davidpaper 2020-09-29T10:51:16Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267923#M80604 <P>Hi Guys,</P> <P>I'm running a search and it seems to take longer than needed. I've search the logs for errors and found this in search.log:</P> <PRE><CODE>ERROR IndexReaderIf - Max Raw Size Limit Exceeded INFO UnifiedSearch - Error in 'IndexReaderIf': Max Raw Size Limit Exceeded </CODE></PRE> <P>It's generating 100s of these messages in pairs, but I don't understand what it means. What can I do to solve this error?</P> <P>Details:<BR /> Single node Splunk install <BR /> Splunk 6.3.0<BR /> 8 CPU cores<BR /> 32 GB RAM</P> Wed, 09 Dec 2015 11:16:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267923#M80604 gwobben 2015-12-09T11:16:19Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267924#M80605 <P>Greetings,</P> <P>Cribbing this from some Support folks who have run into this before. There is a setting that can be updated to alleviate the message.</P> <P>$SPLUNK_HOME/etc/system/local/limits.conf (or wherever you maintain infrastructure changes like this, but definitely not in etc/system/default/limits.conf!)</P> <P>[search] <BR /> max_rawsize_perchunk = </P> <P>You need to restart Splunk for your change to take effect. </P> <P>If you have enough memory available that you feel comfortable allowing searches to use more of it, you can set 0 as unlimited. We don't have any recommendation threshold about max_rawsize_perchunk, as it depends on how much memory is available on the hosts for the processes to consume. Default is 100MB. If you don't feel comfortable with unlimited, double it until the error message disappears. It's a little bit of trial and error, yes.</P> Tue, 29 Sep 2020 10:51:16 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267924#M80605 davidpaper 2020-09-29T10:51:16Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267925#M80606 <P>It sure would be great if someone could communicate what behavior is known to correlate with this message. That is, is it a nuisance? Is this a performance affecting situation? do you get incomplete search results?</P> Mon, 31 Oct 2016 07:41:35 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-message-Max-Raw-Size-Limit-Exceeded-quot/m-p/267925#M80606 jrodman 2016-10-31T07:41:35Z