Monitoring Splunk

Performance impact on using max_rawsize_perchunk in limits.conf

priyg96
New Member

Hi everyone,
I am indexing 3000 large JSON events at a time in Splunk, but when I hit the Splunk query, it gives me below error:
"Events may not be returned in sub-second order due to search memory limits configured in limits.conf".

To resolve this issue, I added max_rawsize_perchunk = 400000000 in my /local/limits.conf as given in the below link:
https://answers.splunk.com/answers/90576/what-does-events-may-not-be-returned-in-sub-second-order-du...

But the query is giving a very slow performance and dashboards are taking a long time to load the data. Are there any parameters which I can use to increase the dashboard performance? Or is there any alternative of max_rawsize_perchunk since it is reducing the dashboard performance to a great extent?

Thanks

0 Karma

woodcock
Esteemed Legend

The best way to fix this is just to re-sort them when the come back from your search and not bother changing any settings. Just add this:

... | sort 0 - _time

None of this will speed up your search, which is a whole other thing. We cannot help you if you do not show us your SPL.

0 Karma

aakif
Engager

I have added max_rawsize_perchunk = 400000000 but still getting same error and search is also very slow.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...