Subsearch timeout is ignoring settings

Deecie · ‎04-22-2012

I'm trying to run a complex search and I keep getting this message:

[subsearch]: Search auto-finalized after time limit (60 seconds) reached.

However, I have this in etc/system/local/limits.conf:

[subsearch]
maxtime = 600

And for good measure I created etc/apps/myapp/local/limits.conf`:

[subsearch]
maxtime = 600

I've definitely restarted Splunk since making these changes. Is there something I'm missing? Could it be something to do with having nested and chained subsearches?

MuS · ‎01-17-2013

Hi Deecie

this can be 'fixed' by changing the values in limits.conf for stanza [join]

 [join]
 subsearch_maxout = number_of_events
 subsearch_maxtime = max_seconds
 subsearch_timeout = seconds

after that it works just fine.

cheers,

MuS

sdaniels · ‎04-23-2012

What version are you running?

sdaniels · ‎04-23-2012

This may still be a bug. Best thing is to open up a support case to get this addressed. It also helps prioritize our engineering team.

http://splunk-base.splunk.com/answers/6128/subsearch-search-auto-finalized-after-time-limit-reached-...

Subsearch timeout is ignoring settings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation

Subsearch timeout is ignoring settings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works