Splunk Search

RESTAPI Search Limits TTL

SplunkTrust
SplunkTrust

I have a search being executed via script hitting the REST API. Occasionally it will return no results and looking for the associated events in _internal we get the below:

alt text

Through this we can see that once it hits around 300000ms (5min) the search times out. Anything below it we get data returned as shown by the non-zero values after each 200 status code. I've been looking through the spec files for what setting might be imposing this limit but have not had any luck in finding one that changes this value. I've gone through looking via grep " 300 " /opt/splunk/etc/system/README/*specas well as other variations of that time format.

In addition to this, I have sent arguments with the POST for auto_cancel and ttl and it does not appear to affect this 5 minute timeout. Any thoughts as to where this limit is being imposed?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!