Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does my subsearch maxtime setting in limits.conf have no effect?

gesman
Communicator
‎07-07-2015 04:05 PM

I have /my-app/local/limits.conf with the following content:

[subsearch]
maxtime = 600

[join]
subsearch_maxtime = 600
subsearch_timeout = 800

Yet when search finished - job inspector still claims that:

 [subsearch]: Search auto-finalized after time limit (60 seconds) reached.

Does this means the setting is ignored, or does this mean that this message is actually incorrect?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-07-2015 04:25 PM

Make sure you've restarted after making the changes, and run these two to check that Splunk understands your configuration:

./bin/splunk cmd btool --debug limits list subsearch
./bin/splunk cmd btool --debug limits list join
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 10:13 AM

Side note: Use | format to avoid having to assemble the search string manually.

If you're on 6.2.x, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then run your search again with the ip-subsearch and look at the debug output at the top of the job inspector. That should present you with a complete list of IPs used for filtering.

0 Karma
Reply

gesman
Communicator
‎07-08-2015 07:19 AM

These commands shows that Splunk honors the limits i set in limits.conf. Which means that ...time limit (60 seconds) reached. message is a bug?

Although I did experiment by comparing results of two queries - one using subsearch and another one using hardcoded search using values that subsearch suppose to return:
index=x page=hello [search index=x user=joe| dedup ip | fields ip] | stats c - this returned c=150
with:
index=x user=joe | fields ip | dedup ip | mvcombine ip | eval ip="(ip=" + mvjoin(ip, " OR ip=") + ")" | table ip
- this returned fragment of search query: (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...)
- So i copy/pasted this fragment and rerun main query like this:
index=x page=hello (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...) | stats c - this returned c=200

Which means query with subsearch still missed something, even with high limits value set?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...