Splunk Search

How do I find what source/sourcetype caused this error: "The search failed. More than 1000000 events found at time"

Path Finder

Search failed with error msg:

Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1554154800.

How do I find out what source/sourcetype/event caused this issue?

I have tried a couple of queries:

  1. *somecontents earliest=1554154800 | head 1000

It takes a long time — still on going and nothing matched

2.
*somecontents earliest=1554154799 latest=1554154801
| head 1000

Returns the same search failure error.

Any help is appreciated!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

Path Finder

Thank you for the quick help!!

0 Karma