Subsearch timeout is ignoring settings

Deecie · ‎04-22-2012

I'm trying to run a complex search and I keep getting this message:

[subsearch]: Search auto-finalized after time limit (60 seconds) reached.

However, I have this in etc/system/local/limits.conf:

[subsearch]
maxtime = 600

And for good measure I created etc/apps/myapp/local/limits.conf`:

[subsearch]
maxtime = 600

I've definitely restarted Splunk since making these changes. Is there something I'm missing? Could it be something to do with having nested and chained subsearches?

MuS · ‎01-17-2013

Hi Deecie

this can be 'fixed' by changing the values in limits.conf for stanza [join]

 [join]
 subsearch_maxout = number_of_events
 subsearch_maxtime = max_seconds
 subsearch_timeout = seconds

after that it works just fine.

cheers,

MuS

sdaniels · ‎04-23-2012

What version are you running?

sdaniels · ‎04-23-2012

This may still be a bug. Best thing is to open up a support case to get this addressed. It also helps prioritize our engineering team.

http://splunk-base.splunk.com/answers/6128/subsearch-search-auto-finalized-after-time-limit-reached-...

Subsearch timeout is ignoring settings

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts