Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

IndexScopedSearch The search failed. More than 1000000 events were found

abedcx
Explorer
‎01-12-2024 10:09 AM

I read many articles about it but no one knows how to fix it. 

so how can I fix it? 

Error in 'IndexScopedSearch': The search failed. More than 1000000 events were found at time 1675957850.

Labels (1)
Labels
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎01-13-2024 08:33 PM

Hi @abedcx 

The issue is the timestamp. i believe you found out some details from @richgalloway 's replies. 

the Actual issue.. when you are searching, there are sooo many events with same timestamp, so Splunk is not able to do the searching.

May we know what your search query(SPL).. we can fine-tune it, so that the Splunk will need not look into sooo many events. please suggest, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-12-2024 10:56 AM

There are more than 1 million events indexed with the same timestamp - February 9, 2023 15:50:50 UTC.

Double-check the inputs.conf and props.conf settings to ensure events are being onboarded correctly.

Searching this data will be a challenge, if it can be done at all.  Add index, source, sourcetype, and host fields to the base query to narrow the scope of the search as much as possible.

---
If this reply helps you, Karma would be appreciated.
Reply

abedcx
Explorer
‎01-13-2024 01:03 PM

Thank you so much for your time , 

@richgalloway 

 

But i noticed that the splunk read the date from my csv and this date is for me not for splunk time 

 

how can i tell splunk to not use this date (that is in my csv ) and make splunk to generate a date when indexing the data 

 

in other words and as you can see in my bellow screenshot my date is the same and duplicated and i have more than 3 billion recoreds most of them same date and this date it's for me so how can i tell splunk to not use this date 

 

Screenshot_1320.png

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-13-2024 04:59 PM

To tell Splunk to use for the date, include a DATETIME_CONFIG setting in a props.conf file.  Depending on your needs, either

DATETIME_CONFIG = current

or

DATETIME_CONFIG = none

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...