Re: Subsearch timeout is ignoring settings

Deecie · ‎04-22-2012

I'm trying to run a complex search and I keep getting this message:

[subsearch]: Search auto-finalized after time limit (60 seconds) reached.

However, I have this in etc/system/local/limits.conf:

[subsearch]
maxtime = 600

And for good measure I created etc/apps/myapp/local/limits.conf`:

[subsearch]
maxtime = 600

I've definitely restarted Splunk since making these changes. Is there something I'm missing? Could it be something to do with having nested and chained subsearches?

MuS · ‎01-17-2013

Hi Deecie

this can be 'fixed' by changing the values in limits.conf for stanza [join]

 [join]
 subsearch_maxout = number_of_events
 subsearch_maxtime = max_seconds
 subsearch_timeout = seconds

after that it works just fine.

cheers,

MuS

sdaniels · ‎04-23-2012

What version are you running?

sdaniels · ‎04-23-2012

This may still be a bug. Best thing is to open up a support case to get this addressed. It also helps prioritize our engineering team.

http://splunk-base.splunk.com/answers/6128/subsearch-search-auto-finalized-after-time-limit-reached-...

Subsearch timeout is ignoring settings

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation