Splunk Search

How do I find what source/sourcetype caused this error: "The search failed. More than 1000000 events found at time"

xindeNokia
Path Finder

Search failed with error msg:

Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1554154800.

How do I find out what source/sourcetype/event caused this issue?

I have tried a couple of queries:

  1. *somecontents earliest=1554154800 | head 1000

It takes a long time — still on going and nothing matched

2.
*somecontents earliest=1554154799 latest=1554154801
| head 1000

Returns the same search failure error.

Any help is appreciated!

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

bigg_bear
Engager

Did you solve the problem after finding out what sourcetype caused this issue?

0 Karma

somesoni2
Revered Legend

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

xindeNokia
Path Finder

Thank you for the quick help!!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!