Solved: Re: Why are we getting "[subsearch]: Search auto-f...

ddrillic · ‎03-13-2017

We get the error such as -

[subsearch]: Search auto-finalized after time limit(60 seconds) reached.

We changed the following for the search app while we use a different app -

$ cat limits.conf
[search]
# setting for an hour
maxtime = 216000

Any ideas?

ddrillic · ‎03-27-2017

We ended up having the following in limits.conf -

[subsearch]
maxout = 50000
maxtime = 3600
ttl = 300

[join]
subsearch_maxout = 50000
subsearch_maxtime = 3600
subsearch_timeout = 360

It works!!! ; - )

View solution in original post

ddrillic · ‎03-27-2017

We ended up having the following in limits.conf -

[subsearch]
maxout = 50000
maxtime = 3600
ttl = 300

[join]
subsearch_maxout = 50000
subsearch_maxtime = 3600
subsearch_timeout = 360

It works!!! ; - )

woodcock · ‎03-13-2017

You could run a scheduled search to pull the hunk data in on a regular basis and then use loadjob in your subsearch to access the hunk data from the scheduled search (or ref if in a dashboard panel).

ddrillic · ‎03-13-2017

Interesting - we should try that...

woodcock · ‎03-13-2017

You should show your subsearch; there must be something wrong with it taking so long. It needs optimization.

ddrillic · ‎03-13-2017

It's a Hunk one - huge data set ; -)

woodcock · ‎03-13-2017

One of the very few GOOD reasons to resort to upping the timeout.

ddrillic · ‎03-13-2017

Very kind @woodcock ; -)

But, you see, why does the error message speak about 60 seconds after we upped the timeout interval to an hour?

DalJeanis · ‎03-13-2017

did you restart splunk after changing the configuration?

ddrillic · ‎03-13-2017

Oh yeah - we did.

Why are we getting "[subsearch]: Search auto-finalized after time limit (60 seconds) reached" error?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor