Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does my subsearch maxtime setting in limits.conf have no effect?

gesman
Communicator
‎07-07-2015 04:05 PM

I have /my-app/local/limits.conf with the following content:

[subsearch]
maxtime = 600

[join]
subsearch_maxtime = 600
subsearch_timeout = 800

Yet when search finished - job inspector still claims that:

 [subsearch]: Search auto-finalized after time limit (60 seconds) reached.

Does this means the setting is ignored, or does this mean that this message is actually incorrect?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-07-2015 04:25 PM

Make sure you've restarted after making the changes, and run these two to check that Splunk understands your configuration:

./bin/splunk cmd btool --debug limits list subsearch
./bin/splunk cmd btool --debug limits list join
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-08-2015 10:13 AM

Side note: Use | format to avoid having to assemble the search string manually.

If you're on 6.2.x, add this to limits.conf:

[search_info]
infocsv_log_level = DEBUG

Then run your search again with the ip-subsearch and look at the debug output at the top of the job inspector. That should present you with a complete list of IPs used for filtering.

0 Karma
Reply

gesman
Communicator
‎07-08-2015 07:19 AM

These commands shows that Splunk honors the limits i set in limits.conf. Which means that ...time limit (60 seconds) reached. message is a bug?

Although I did experiment by comparing results of two queries - one using subsearch and another one using hardcoded search using values that subsearch suppose to return:
index=x page=hello [search index=x user=joe| dedup ip | fields ip] | stats c - this returned c=150
with:
index=x user=joe | fields ip | dedup ip | mvcombine ip | eval ip="(ip=" + mvjoin(ip, " OR ip=") + ")" | table ip
- this returned fragment of search query: (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...)
- So i copy/pasted this fragment and rerun main query like this:
index=x page=hello (ip=1.2.3.4 OR ip=5.6.7.8 OR ip=...) | stats c - this returned c=200

Which means query with subsearch still missed something, even with high limits value set?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...