Splunk Search

Why does my search not finish?

fraser8
Engager

index="king" source ="/King/East"

I am confused why my search doesn't finish. I have a '2 month window' applied to the time.

When I inspect the job I see: This search is still running and is approximately 100% complete.

In the log, the following two items keep repeating every ~5s:

01-29-2018 21:14:25.205 INFO  SortOperator - maxmem = 209715200
01-29-2018 21:14:25.337 INFO  DispatchThread - Generating results preview took 157 ms

When I remove the time filter, and allow for 'All time', the search completes with the output: This search has completed and has returned 16,484 results by scanning 44,750 events in 1.944 seconds

The search that gets stuck:

alt text

1 Solution

acharlieh
Influencer

If you specified to search with a "2 month window" that means you setup a real-time search, which is a continuously executing search.

Instead you want to run a normal historic search (using the "Relative" section of the time range picker) to which the picker would instead read "Last 2 months"

View solution in original post

acharlieh
Influencer

If you specified to search with a "2 month window" that means you setup a real-time search, which is a continuously executing search.

Instead you want to run a normal historic search (using the "Relative" section of the time range picker) to which the picker would instead read "Last 2 months"

somesoni2
Revered Legend

Are you selecting that "2 month window" from Real-time section of time range picker?

0 Karma

fraser8
Engager

Yes, i was selecting Real-time -> 2 Months Ago

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...