Splunk Search

Error auto-canceled search

lamnguyentt1
Explorer

Dear professional,

I want to get the log size of each service in an index.
This is my search string


index="hcg_oapi_prod"| eval size = len(_raw) | stats sum(size) as rawSize by sourcetype | eval GB = round(rawSize / 1024 / 1024/1024, 2)

lamnguyentt1_0-1651137456325.png

 

But this query string can not be completed and auto-canceled.

lamnguyentt1_1-1651137487499.png

 

Please help me.

0 Karma

smurf
Path Finder

Hi,

I think you might be hitting some of the user search limits like the amount of memory it can consume.

I would try to switch from Verbose to Fast or specify the _raw field before your eval.

index="hcg_oapi_prod"
| fields _raw
| eval size = len(_raw)
...

This should substantially speed the search up as it would not try to extract all the fields.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...