Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

IndexScopedSearch The search failed. More than 1000000 events were found

abedcx
Explorer
‎01-12-2024 10:09 AM

I read many articles about it but no one knows how to fix it. 

so how can I fix it? 

Error in 'IndexScopedSearch': The search failed. More than 1000000 events were found at time 1675957850.

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-13-2024 08:33 PM

Hi @abedcx 

The issue is the timestamp. i believe you found out some details from @richgalloway 's replies. 

the Actual issue.. when you are searching, there are sooo many events with same timestamp, so Splunk is not able to do the searching.

May we know what your search query(SPL).. we can fine-tune it, so that the Splunk will need not look into sooo many events. please suggest, thanks. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2024 10:56 AM

There are more than 1 million events indexed with the same timestamp - February 9, 2023 15:50:50 UTC.

Double-check the inputs.conf and props.conf settings to ensure events are being onboarded correctly.

Searching this data will be a challenge, if it can be done at all.  Add index, source, sourcetype, and host fields to the base query to narrow the scope of the search as much as possible.

---
If this reply helps you, Karma would be appreciated.
Reply

abedcx
Explorer
‎01-13-2024 01:03 PM

Thank you so much for your time , 

@richgalloway 

 

But i noticed that the splunk read the date from my csv and this date is for me not for splunk time 

 

how can i tell splunk to not use this date (that is in my csv ) and make splunk to generate a date when indexing the data 

 

in other words and as you can see in my bellow screenshot my date is the same and duplicated and i have more than 3 billion recoreds most of them same date and this date it's for me so how can i tell splunk to not use this date 

 

Screenshot_1320.png

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2024 04:59 PM

To tell Splunk to use for the date, include a DATETIME_CONFIG setting in a props.conf file.  Depending on your needs, either

DATETIME_CONFIG = current

or

DATETIME_CONFIG = none

 

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...