Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: What causes "Search auto-canceled"?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The full error message is "Search auto-canceled The search job has failed due to an error. You may be able view the job in the Job Inspector."
The error occurs once in a while on our dashboard and after some time (usually within minutes) it resolves itself.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually this is because your Search Head uses up all available RAM and there is no more to be had so existing searches cannot get the RAM they need and have to abort. Best Practice is to get all the RAM that you possibly can for your Search Head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another reason is that your search is hitting one of these defaults (configurable in the Advanced edit section of your saved search):
dispatch.max_count = <integer>
* The maximum number of results before finalizing the search.
* Defaults to 500000.
dispatch.max_time = <integer>
* Indicates the maximum amount of time (in seconds) before finalizing the
search.
* Defaults to 0.
See here:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Savedsearchesconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would the same reasoning apply if you are using Splunk Cloud ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The max_time should result in an auto-finalized statement but this goes into the info.csv file which is not indexed by default.
If you use Alerts for Splunk Admins or github refer to "SearchHeadLevel - Users with auto-finalized searches"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm currently at a customer site and am seeing the same behavior and I can say that the memory is definitely not running out. We are baffled as well, it happens regularly, but is also intermittent. Same search will complete some of the time, and then a more often than not fail.
Customer is running 7.1.4, and I don't see anything in the release notes that would explain this behavior. We are going to be opening a support ticket to look into it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you end up solving the issue with the customer having failed serches (more often that not), but the system resources are not even being used? I am running into the same issue on 9.2.1 running on RHEL 8.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Usually this is because your Search Head uses up all available RAM and there is no more to be had so existing searches cannot get the RAM they need and have to abort. Best Practice is to get all the RAM that you possibly can for your Search Head.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
