Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IndexScopedSearch The search failed. More than 1000000 events were found

abedcx
Explorer
‎01-12-2024 10:09 AM

I read many articles about it but no one knows how to fix it. 

so how can I fix it? 

Error in 'IndexScopedSearch': The search failed. More than 1000000 events were found at time 1675957850.

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-13-2024 08:33 PM

Hi @abedcx 

The issue is the timestamp. i believe you found out some details from @richgalloway 's replies. 

the Actual issue.. when you are searching, there are sooo many events with same timestamp, so Splunk is not able to do the searching.

May we know what your search query(SPL).. we can fine-tune it, so that the Splunk will need not look into sooo many events. please suggest, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2024 10:56 AM

There are more than 1 million events indexed with the same timestamp - February 9, 2023 15:50:50 UTC.

Double-check the inputs.conf and props.conf settings to ensure events are being onboarded correctly.

Searching this data will be a challenge, if it can be done at all.  Add index, source, sourcetype, and host fields to the base query to narrow the scope of the search as much as possible.

---
If this reply helps you, Karma would be appreciated.
Reply

abedcx
Explorer
‎01-13-2024 01:03 PM

Thank you so much for your time , 

@richgalloway 

 

But i noticed that the splunk read the date from my csv and this date is for me not for splunk time 

 

how can i tell splunk to not use this date (that is in my csv ) and make splunk to generate a date when indexing the data 

 

in other words and as you can see in my bellow screenshot my date is the same and duplicated and i have more than 3 billion recoreds most of them same date and this date it's for me so how can i tell splunk to not use this date 

 

Screenshot_1320.png

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2024 04:59 PM

To tell Splunk to use for the date, include a DATETIME_CONFIG setting in a props.conf file.  Depending on your needs, either

DATETIME_CONFIG = current

or

DATETIME_CONFIG = none

 

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...