Monitoring Splunk

Performance impact on using max_rawsize_perchunk in limits.conf

priyg96
New Member

Hi everyone,
I am indexing 3000 large JSON events at a time in Splunk, but when I hit the Splunk query, it gives me below error:
"Events may not be returned in sub-second order due to search memory limits configured in limits.conf".

To resolve this issue, I added max_rawsize_perchunk = 400000000 in my /local/limits.conf as given in the below link:
https://answers.splunk.com/answers/90576/what-does-events-may-not-be-returned-in-sub-second-order-du...

But the query is giving a very slow performance and dashboards are taking a long time to load the data. Are there any parameters which I can use to increase the dashboard performance? Or is there any alternative of max_rawsize_perchunk since it is reducing the dashboard performance to a great extent?

Thanks

0 Karma

woodcock
Esteemed Legend

The best way to fix this is just to re-sort them when the come back from your search and not bother changing any settings. Just add this:

... | sort 0 - _time

None of this will speed up your search, which is a whole other thing. We cannot help you if you do not show us your SPL.

0 Karma

aakif
Engager

I have added max_rawsize_perchunk = 400000000 but still getting same error and search is also very slow.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...