Re: Subsearch timeout is ignoring settings

Deecie · ‎04-22-2012

I'm trying to run a complex search and I keep getting this message:

[subsearch]: Search auto-finalized after time limit (60 seconds) reached.

However, I have this in etc/system/local/limits.conf:

[subsearch]
maxtime = 600

And for good measure I created etc/apps/myapp/local/limits.conf`:

[subsearch]
maxtime = 600

I've definitely restarted Splunk since making these changes. Is there something I'm missing? Could it be something to do with having nested and chained subsearches?

MuS · ‎01-17-2013

Hi Deecie

this can be 'fixed' by changing the values in limits.conf for stanza [join]

 [join]
 subsearch_maxout = number_of_events
 subsearch_maxtime = max_seconds
 subsearch_timeout = seconds

after that it works just fine.

cheers,

MuS

sdaniels · ‎04-23-2012

What version are you running?

sdaniels · ‎04-23-2012

This may still be a bug. Best thing is to open up a support case to get this addressed. It also helps prioritize our engineering team.

http://splunk-base.splunk.com/answers/6128/subsearch-search-auto-finalized-after-time-limit-reached-...

Subsearch timeout is ignoring settings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation