Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search auto-finalized after disk usage limit (...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search auto-finalized after disk usage limit (100mb) reached - What does this mean?
Started getting Search auto-finalized after disk usage limit (100mb) reached - What does this mean?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When we receive this message or warning saying 100MB threshold is reached, the output what we see, do we say whatever it has given with the search executed, is that accurate data??
Or this data cannot be considered as accurate because of 100MB threshold??
All, I wanted to understand is even with this 100MB threshold, the results which is given do we say it is accurate or it is partial and cannot be considred as Accurate enough and it needs to be optimised or run by a search admin with high disk quota to get accurate results...
Please advise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
First,I think you need to optimise your search query
and secondly in search head $SPLUNK_HOME/etc/system/local/authorize.conf put
[your_role]
srchDiskQuota = 500
Maximum amount of disk space (MB) that can be used by search jobs of a user that belongs to this role which is 500 MB by default its 100 MB
your_role is allowed to take up 500 megabytes total on disk for all their jobs.
refer this doc
http://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf#authorize.conf.example
I hope that helps you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically, you ran out of space.
The first thing you might consider doing is using the | fields command at the earliest point possible to eliminate everything but the fields you need. Other than that, you'd have to post a non-confidential version of the search to answers, in a separate question, and we could see how to help you make it more space-efficient.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You must be running a heavy search which , for it's processing, taking more than 100mb of dispatch directory and thus getting finalized. You should look at optimizing your search to reduce it's footprint (recommended) or adjust srchDiskQuota for your role in authorize.conf to increase the disk usage limit.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
