Solved: What does "Events may not be returned in sub-secon... - Page 2

jtrucks · ‎06-05-2013

What does "Events may not be returned in sub-second order due to memory pressure." mean?

--
Jesse Trucks
Minister of Magic

hexx · ‎06-05-2013

This is a message indicating that we are throttling the rate at which a search process reads event raw data (the _raw field) to keep the memory usage of the search process low.
We've had issues of high memory usage with searches encountering patches of large (~10KB or more) _raw fields, so when that happens, we slow down the rate at which we read those events.

That being said, we also discovered that:

This message is not informative enough
The default threshold is too low

We are adjusting both of those things in a future release.

In the meantime, if you have enough memory available that you feel comfortable allowing searches to use more of it, you can increase this threshold by changing the value of max_rawsize_perchunk in limits.conf:

max_rawsize_perchunk = <integer>
* Maximum raw size of results per call to search (in dispatch).
* 0 = no limit.                   
* Defaults to 100000000 (100MB)
* Not affected by chunk_multiplier

View solution in original post

What does "Events may not be returned in sub-second order due to memory pressure." mean?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes