Hi everyone,
I am indexing 3000 large JSON events at a time in Splunk, but when I hit the Splunk query, it gives me below error:
"Events may not be returned in sub-second order due to search memory limits configured in limits.conf".
To resolve this issue, I added max_rawsize_perchunk = 400000000 in my /local/limits.conf as given in the below link:
https://answers.splunk.com/answers/90576/what-does-events-may-not-be-returned-in-sub-second-order-du...
But the query is giving a very slow performance and dashboards are taking a long time to load the data. Are there any parameters which I can use to increase the dashboard performance? Or is there any alternative of max_rawsize_perchunk since it is reducing the dashboard performance to a great extent?
Thanks
The best way to fix this is just to re-sort them when the come back from your search and not bother changing any settings. Just add this:
... | sort 0 - _time
None of this will speed up your search, which is a whole other thing. We cannot help you if you do not show us your SPL.
I have added max_rawsize_perchunk = 400000000 but still getting same error and search is also very slow.