Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

map command returns main index even searching _internal only

mchang_splunk
Splunk Employee
Splunk Employee
‎05-11-2019 01:12 PM

I tried to test map command on Splunk 7.1.3 with following search:

index=_internal earliest=-60m | map maxsearches=1 search="search index=_internal  earliest=-6m latest=-1m | head 1"

Theoretically, this search should only return one event from index=_internal.
However, lots of events from main index return

alt text

Is this a bug?

Tags (1)
Preview file
212 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎05-11-2019 01:19 PM

This is a known issue SPL-167869 and SPL-169704 which will be fixed on 7.3.

Workaround is also available:

add following stanza in ../etc/system/local/limits.conf on SH and restart should fix this issue:

 [search] 
 phased_execution_mode = auto

After workaround applied:

alt text

View solution in original post

Preview file
177 KB
Reply
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎05-11-2019 01:19 PM

This is a known issue SPL-167869 and SPL-169704 which will be fixed on 7.3.

Workaround is also available:

add following stanza in ../etc/system/local/limits.conf on SH and restart should fix this issue:

 [search] 
 phased_execution_mode = auto

After workaround applied:

alt text

Preview file
177 KB
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...