"Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk."

i dont have permissions to change the config files, what am i doing wrong in my steps? i extracted on this case only 987,771 events

Probably trying to index too many events - try reducing the timespan and/or break up your search into multiple smaller chunks.

But I have a problem extracting data from the index not writing to the index. 
(when I created the index I schedule a daily job on a range of 24  hours (data of 1.8, 2.8,..,6.8 separately).

Now I need to use the data that was collected in the index and present data of 30 days

First check to see if you can retrieve events, e.g.

index=summary source="SummaryIndex_Main" | table *

Then see if you can do any stats for this index e.g.

index=summary source="SummaryIndex_Main" | stats count by TimeStamp,source

Hi ,

First query:
I get the results. The error still exists but I get the data. The problem is that I need to extract the original fields, not sure that I get all of them i will check.
in addition, it takes time to extract and i thought that the summary index supposes to improve the performance.

Second query:
The query stopped and the errors are:
"DAG Execution Exception: Search has been canceled 
Search auto-canceled
Events might not be returned in sub-second order due to search memory limits. See search.log for more information. Increase the value of the following limits.conf setting:[search]:max_rawsize_perchunk.The search job has failed due to an error. You may be able view the job in the"

thanks!

Summary indexes can improve performance when you are performing aggregation functions such as count or avg. When you are just collecting all the values of all the fields (particularly by a field which is likely to have lots of unique values), you are not using summary indexes in the manner they were intended to be used and not gaining very much (if anything) in performance. Your summary index probably has the same amount of data as your original index.

Ok i understand, so what do you recommend me to do in my case to improve the performance? It takes too long time to load and run queries..

And how can I extract all the original fields from the index?
in case I execute the report without aggregation (without stats) to pull data from index :

index=summary source="SummaryIndex_Main" | table *

It depends on what you are ultimately trying to do. Just copying the events from the main index to a "summary" index saves you nothing, and indeed seems to make things worse. You could try breaking up your search time frames in to smaller chunks.