Solved: limits.conf modify time out search

splunkcol · ‎02-19-2021

I am performing a query to generate a chart.

The query time range is the previous 7 days, when I use this time range I get the error message that I attach, but when I lower the time to 5 or 4 days if I get the information.

By discard it is because of the time it is taking, I don't know if I'm wrong but there is some configuration that limits a maximum time in seconds until it generates a take out or cancels it splunk.

Someone suggested that I review the limits.conf file, but when I review the documentation, I don't see which stanza I should modify.

I appreciate if someone can guide me

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Limitsconf#.5Bsearch.5D

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

View solution in original post

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

limits.conf modify time out search

chart

field extraction

fields

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?