Solved: indexer search limits reached

kteng2024 · ‎03-26-2017

Hi,

When i ran a command which will fetch the events from last 7 days from a host , splunk is throwing below message. Can anyone please explain in detail about this message.

[abcidx01] Events may not be returned in sub-second order due to search memory limits configured in limits.conf [search]:max_rawsize_perchunk. See search.log for more information.

woodcock · ‎03-26-2017

It is saying that your events have subseconds (usually milliseconds) so instead of a time like Dec 25 2017 23:30:12, they are like Dec 25 2017 23:30:12.345. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds part (in my example, the Dec 25 2017 23:30:12 part) but may NOT be properly sorted for each second within the subseconds part (in my example, the .345 part. If this is important to you, be sure to add | sort 0 - _time as the first command after your base search to resort the events before further processing them.

View solution in original post

woodcock · ‎03-26-2017

It is saying that your events have subseconds (usually milliseconds) so instead of a time like Dec 25 2017 23:30:12, they are like Dec 25 2017 23:30:12.345. And on top of that, the events as returned to you (which are normally sorted in newest-to-oldest order, WILL be that way up until the subseconds part (in my example, the Dec 25 2017 23:30:12 part) but may NOT be properly sorted for each second within the subseconds part (in my example, the .345 part. If this is important to you, be sure to add | sort 0 - _time as the first command after your base search to resort the events before further processing them.

indexer search limits reached

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms