Solved: Re: How do I find what source/sourcetype caused th...

xindeNokia · ‎04-02-2019

Search failed with error msg:

Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1554154800.

How do I find out what source/sourcetype/event caused this issue?

I have tried a couple of queries:

It takes a long time — still on going and nothing matched

2.
*somecontents earliest=1554154799 latest=1554154801 | head 1000

Returns the same search failure error.

Any help is appreciated!

somesoni2 · ‎04-02-2019

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

bigg_bear · ‎08-17-2021

Did you solve the problem after finding out what sourcetype caused this issue?

somesoni2 · ‎04-02-2019

Give this a try

| tstats count WHERE index=* _time=1554154800 by index sourcetype

xindeNokia · ‎04-02-2019

Thank you for the quick help!!

How do I find what source/sourcetype caused this error: "The search failed. More than 1000000 events found at time"