Splunk Search
Highlighted

[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Path Finder

Dear Sir

When I run a long search. The Splunk always reponsd this message.

[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

and then ... subsearch's result can't be finished.

How to modify this time limit ???




I have add limits.conf to my apps's local directory

Below is my limits.conf's settings --

[subsearch]
maxtime = 180
timeout = 180

and then .... restart splunk service

and then .... it isn't workable

Do you have other method to fix this issue ?




Below is my search ...

index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$ 
| `GenerateTimeFields` 
| dedup Week_Number, Request_API_Name, Sub_ID 
| stats min(Event_Time) as Event_Start_Time, max(Event_Time) as Event_End_Time, count(Sub_ID) as Sub_ID_Number by Week_Number, Request_API_Name 
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number 
| `FieldsRename` 
| append 
[search index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$ 
| stats min(_time) as Convert_Start_Time, max(_time) as Convert_End_Time, values(Request_API_Name) as Request_API_Name, dc(Sub_ID) as Sub_ID_Number 
| convert mktime(Convert_Start_Time) as Unix_Start_Time 
| convert timeformat="%Y/%m/%d" ctime(Unix_Start_Time) as Event_Start_Time 
| convert mktime(Convert_End_Time) as Unix_End_Time 
| convert timeformat="%Y/%m/%d" ctime(Unix_End_Time) as Event_End_Time 
| eval $Param_API_Name$ 
| eval Request_API_Name = if(Request_API_Name == "*", "ALL_Sites", Request_API_Name) 
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number 
| `FieldsRename`]
Tags (1)
Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Splunk Employee
Splunk Employee

You can adjust the setting in the limits.conf configuration file.

0 Karma
Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Path Finder

I have updated my answer to my question ...

0 Karma
Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Splunk Employee
Splunk Employee

Are you doing this in a subsearch in a search command, or a in join command, or an append command? These each take a different setting.

Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Path Finder

I have updated my search to my question

0 Karma
Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Splunk Employee
Splunk Employee

You can modify the settings that affect subsearch timeouts in limits.conf

-- edit --
It depends. One location to edit (or create) this file would be:

$SPLUNK_HOME/etc/system/local/limits.conf  

You may wish to read more about configuration files to learn more. .

Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Path Finder

Sorry but where is that?

0 Karma
Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Contributor

I also have the same problem, modifying the limits.conf still doesn't work, Is this a bug ??

Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Motivator

I have the same problem too. Tuning up the limits.conf file does not fix the problem.

Highlighted

Re: [subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

Path Finder

Same here. Is anyone going to address this question?