Splunk Search

How do I find what source/sourcetype caused this error: "The search failed. More than 1000000 events found at time"

xindeNokia
Path Finder

Search failed with error msg:

Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1554154800.

How do I find out what source/sourcetype/event caused this issue?

I have tried a couple of queries:

  1. *somecontents earliest=1554154800 | head 1000

It takes a long time — still on going and nothing matched

2.
*somecontents earliest=1554154799 latest=1554154801
| head 1000

Returns the same search failure error.

Any help is appreciated!

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

bigg_bear
Engager

Did you solve the problem after finding out what sourcetype caused this issue?

0 Karma

somesoni2
Revered Legend

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

View solution in original post

0 Karma

xindeNokia
Path Finder

Thank you for the quick help!!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!