Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: IndexScopedSearch Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IndexScopedSearch Error
Hello Splunkers!
During search I get an error: "Error in 'IndexScopedSearch': The search failed. More than 1000000 events found at time 1361015487."
Which parameter in the limits.conf file should I increase to avoid this error?
Best regards,
Roman
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had this same problem in an index taking various exchange log files. After reading this comment about the 100K events indexed in one second being a limitation, I started thinking about that. I have not had this problem before upgrading to splunk 6.1.5 (I was on 4.3.1 before). I looked at their timestamps and realized that these logs are granular only to the second. So I go in touch with the admin on that system, and suggested moving to advance logging, and turning-on millisecond timestamps. I had to re-do my props.conf for the new timestamp but that was trivial, and I am not experiencing this error any more when searching. When you make this change, you switch from monitoring where the log is and the name:
W3SVC1\u_ex*.log to AdvancedLogs\DEFAULT WEB SITE\Exchange_AdvLog_H*.log
I put this in my props.conf for the new format:
detect_trailing_nulls=auto
pulldown_type = true
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
TZ = GMT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk returns searches in sub second order. You can not have more the 100K events indexed in one second. It is not tunable. Sorry.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this is hard limitation of Splunk?...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious as well - having the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curious as well - running into the same situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is still not resolved...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
I found this answer earlier. But I do not quite understand what kind of setting it:
"parameter tunable based on memory available"
Increase value of parameter "max_mem_usage_mb" doesn't affect the Error...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think both are same . please check out [here][1]
[1]: http://splunk-base.splunk.com/answers/3397/indexscopedsearch-error-details
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not have any ideas?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
