Solved: How can I tune the Splunk search process to handle...

stephanbuys · ‎05-11-2010

I have a data source where all events get logged in hour intervals. There could be several hundred thousand events per interval.

When trying to search for these events I get the following error: Error in 'IndexScopedSearch': The search failed. More than 250000 events found at time 1271749500.

Is there a way to tune the search process not to fail on this search?

bwooden · ‎05-13-2010

Similar thread: http://answers.splunk.com/questions/303/whats-max-events-i-can-have-timestamped-with-a-particular-se...

View solution in original post

bwooden · ‎05-13-2010

Similar thread: http://answers.splunk.com/questions/303/whats-max-events-i-can-have-timestamped-with-a-particular-se...

stephanbuys · ‎05-21-2010

We resolved this issue by moving away from timestamp recognition for this data source and logging TIME_FORMAT=CURRENT.

stephanbuys · ‎05-18-2010

Unfortunately I am still running into this limitation. I have tried to add some information to from the event's _raw field to the Sourcetype, in order to increase the uniqueness of the host/source/sourcetype combination. My searches are still failing though.

How can I tune the Splunk search process to handle more than 250000 events at one timestamp?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud

Join the Conversation

How can I tune the Splunk search process to handle more than 250000 events at one timestamp?

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Unlock Database Monitoring with Splunk Observability Cloud