Solved: limits.conf modify time out search

splunkcol · ‎02-19-2021

I am performing a query to generate a chart.

The query time range is the previous 7 days, when I use this time range I get the error message that I attach, but when I lower the time to 5 or 4 days if I get the information.

By discard it is because of the time it is taking, I don't know if I'm wrong but there is some configuration that limits a maximum time in seconds until it generates a take out or cancels it splunk.

Someone suggested that I review the limits.conf file, but when I review the documentation, I don't see which stanza I should modify.

I appreciate if someone can guide me

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Limitsconf#.5Bsearch.5D

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

View solution in original post

tscroggins · ‎02-20-2021

@splunkcol

If your search is auto-finalizing before it completes, you'll need to adjust srchMaxTime for your role in authorize.conf. Also review srchTimeWin (maximum time range), srchDiskQuota, and other role-based limits, depending on the errors/messages shown.

limits.conf modify time out search

chart

field extraction

fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?