Solved: Re: How can I tune the Splunk search process to ha...

stephanbuys · ‎05-11-2010

I have a data source where all events get logged in hour intervals. There could be several hundred thousand events per interval.

When trying to search for these events I get the following error: Error in 'IndexScopedSearch': The search failed. More than 250000 events found at time 1271749500.

Is there a way to tune the search process not to fail on this search?

bwooden · ‎05-13-2010

Similar thread: http://answers.splunk.com/questions/303/whats-max-events-i-can-have-timestamped-with-a-particular-se...

View solution in original post

bwooden · ‎05-13-2010

Similar thread: http://answers.splunk.com/questions/303/whats-max-events-i-can-have-timestamped-with-a-particular-se...

stephanbuys · ‎05-21-2010

We resolved this issue by moving away from timestamp recognition for this data source and logging TIME_FORMAT=CURRENT.

stephanbuys · ‎05-18-2010

Unfortunately I am still running into this limitation. I have tried to add some information to from the event's _raw field to the Sourcetype, in order to increase the uniqueness of the host/source/sourcetype combination. My searches are still failing though.

How can I tune the Splunk search process to handle more than 250000 events at one timestamp?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How can I tune the Splunk search process to handle more than 250000 events at one timestamp?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers