Splunk Search

[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

SamChang
Path Finder

Dear Sir

When I run a long search. The Splunk always reponsd this message.

[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

and then ... subsearch's result can't be finished.

How to modify this time limit ???




I have add limits.conf to my apps's local directory

Below is my limits.conf's settings --

[subsearch]
maxtime = 180
timeout = 180

and then .... restart splunk service

and then .... it isn't workable

Do you have other method to fix this issue ?




Below is my search ...

index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$ 
| `GenerateTimeFields` 
| dedup Week_Number, Request_API_Name, Sub_ID 
| stats min(Event_Time) as Event_Start_Time, max(Event_Time) as Event_End_Time, count(Sub_ID) as Sub_ID_Number by Week_Number, Request_API_Name 
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number 
| `FieldsRename` 
| append 
[search index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$ 
| stats min(_time) as Convert_Start_Time, max(_time) as Convert_End_Time, values(Request_API_Name) as Request_API_Name, dc(Sub_ID) as Sub_ID_Number 
| convert mktime(Convert_Start_Time) as Unix_Start_Time 
| convert timeformat="%Y/%m/%d" ctime(Unix_Start_Time) as Event_Start_Time 
| convert mktime(Convert_End_Time) as Unix_End_Time 
| convert timeformat="%Y/%m/%d" ctime(Unix_End_Time) as Event_End_Time 
| eval $Param_API_Name$ 
| eval Request_API_Name = if(Request_API_Name == "*", "ALL_Sites", Request_API_Name) 
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number 
| `FieldsRename`]
Tags (1)

melting
Splunk Employee
Splunk Employee

We have an internal bug filed around this behavior. Please file a case with splunk support to get more information and help us prioritize this issue.

For those of you who changed the limits.conf. The job is most likely still running in the background, take a look at the job manager. I would also expect these searches to work better on the CLI.

hongklee
New Member

do we have a fix on this issue ? i'm seeing the same issue on a pivot report using the data model. we had modified the limit.conf setting, but it didnt helps. Any advise would be greatly appreciated !!

0 Karma

bhawkins1
Communicator

Are there any updates on the status of this internal bug?

0 Karma

ehoward
Path Finder

Same here. Is anyone going to address this question?

lpolo
Motivator

I have the same problem too. Tuning up the limits.conf file does not fix the problem.

hjwang
Contributor

I also have the same problem, modifying the limits.conf still doesn't work, Is this a bug ??

bwooden
Splunk Employee
Splunk Employee

You can modify the settings that affect subsearch timeouts in limits.conf

-- edit --
It depends. One location to edit (or create) this file would be:

$SPLUNK_HOME/etc/system/local/limits.conf  

You may wish to read more about configuration files to learn more. .

wyang6
Path Finder

Sorry but where is that?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can adjust the setting in the limits.conf configuration file.

0 Karma

SamChang
Path Finder

I have updated my search to my question

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Are you doing this in a subsearch in a search command, or a in join command, or an append command? These each take a different setting.

SamChang
Path Finder

I have updated my answer to my question ...

0 Karma