Splunk Search
Highlighted

Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

Path Finder

I started seeing this error yesterday, and the Splunk>answers responses so far don't seem to fit a pattern I am seeing. I seem to get this after I do a lot of searches within a specific time frame, such as last 24 hours. It seems like the "IndexScopedSearch" is retaining/accumulating timestamped data. Is this Index used only to store search results?

I have attempted to see what events were logged at time 1283183159, but I get zero results with searches such as time=1283183159, _time=1283183159 or timestamp=1283183159. How do I find events at the specified time?

Thank you Randy

Tags (4)
0 Karma
Highlighted

Re: Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

Splunk Employee
Splunk Employee

This answer explains what you are seeing I think. It is possible that the data is getting timestamped incorrectly by Splunk, but we'd need more information.

0 Karma
Highlighted

Re: Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

Path Finder

I can't seem to comment on Answers in Internet Explorer 8 (32bit) or FireFox 3.6.8.

I have read that answer before posting, but it does not seem to relate. If it does relate, I am missing the point. I seriously doubt that we have any single host producing 100,000 messages per second.

I have quite a number of successful searches prior to receiving this error. It seems like I hit some limit on searches and this error appears. The search time frame is the last 24 hours, and I do not see any recent events that would number more than a dozen or so over the last 15 minutes after first seeing the error.

It might be an internal error, but is there a workaround such as clearing the IndexScopedSearch index? Since I don't know if that index is temporary or not, I don't know if that is a good or bad thing to do. If it is okay to clear out the index, I don't know how to do that.

Thank you Randy

Highlighted

Re: Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

Super Champion

BTW, you need a higher score before you can add a comment; it's not your browser.

0 Karma
Highlighted

Re: Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

Communicator

I got this "Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1287172432." and an error notice that I went over my indexing volume license. So, I am trying to figure out what happened and cannot find the source that generated all these 'events'.

0 Karma