×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
hema_5757
Observer
Member since: ‎03-19-2025
‎03-19-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-19-2025
Activity Feed
Topics I've Started
View All

Re: Search auto-cancelled

by in Splunk Search
‎03-19-2025 06:41 AM
‎03-19-2025 06:41 AM
The Search process around 8K results in 400M events  ... View more

Search auto-cancelled

by in Splunk Search
‎03-19-2025 05:45 AM
‎03-19-2025 05:45 AM
Hi All, I have following Query  index=wineventlog |eval _time = strftime(_time,"%Y-%m-%d %H:%M:%S") |eval device_name = lower(Workstation_Name)|dedup device_name | table _time user device_name src_nt_host action ComputerName host SourceName Account_Name Security_ID Logon_Type TaskCategory Type app eventtype product vendor vendor_product Account_Domain dest dest_nt_domain dest_nt_host Error_Code EventCode EventType name source SourceName sourcetype src src_domain src_ip src_nt_domain src_port Virtual_Account LogName Logon_GUID Impersonation_Level on Yesterday time filter This search takes more than one hour and when I use this query to output search It process till 60% and then it is giving error like search auto-cancelled. Is there any way that we can handle time for processing this query. or how can I get data in other ways.    If I give shorted timeframe like last 60 min time takes almost 5 min and I can get data. Please suggest. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-19-2025 09:18 AM