Solved: limits.conf modify time out search

splunkcol · ‎02-19-2021

I am performing a query to generate a chart.

The query time range is the previous 7 days, when I use this time range I get the error message that I attach, but when I lower the time to 5 or 4 days if I get the information.

By discard it is because of the time it is taking, I don't know if I'm wrong but there is some configuration that limits a maximum time in seconds until it generates a take out or cancels it splunk.

Someone suggested that I review the limits.conf file, but when I review the documentation, I don't see which stanza I should modify.

I appreciate if someone can guide me

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Limitsconf#.5Bsearch.5D

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

View solution in original post

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

limits.conf modify time out search

chart

field extraction

fields

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk