Dear Sir
When I run a long search. The Splunk always reponsd this message.
[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.
and then ... subsearch's result can't be finished.
How to modify this time limit ???
I have add limits.conf to my apps's local directory
Below is my limits.conf's settings --
[subsearch]
maxtime = 180
timeout = 180
and then .... restart splunk service
and then .... it isn't workable
Do you have other method to fix this issue ?
Below is my search ...
index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$
| `GenerateTimeFields`
| dedup Week_Number, Request_API_Name, Sub_ID
| stats min(Event_Time) as Event_Start_Time, max(Event_Time) as Event_End_Time, count(Sub_ID) as Sub_ID_Number by Week_Number, Request_API_Name
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number
| `FieldsRename`
| append
[search index="wms_summary" search_name="Summary Basic Data Output 01" $Param_API_Name$
| stats min(_time) as Convert_Start_Time, max(_time) as Convert_End_Time, values(Request_API_Name) as Request_API_Name, dc(Sub_ID) as Sub_ID_Number
| convert mktime(Convert_Start_Time) as Unix_Start_Time
| convert timeformat="%Y/%m/%d" ctime(Unix_Start_Time) as Event_Start_Time
| convert mktime(Convert_End_Time) as Unix_End_Time
| convert timeformat="%Y/%m/%d" ctime(Unix_End_Time) as Event_End_Time
| eval $Param_API_Name$
| eval Request_API_Name = if(Request_API_Name == "*", "ALL_Sites", Request_API_Name)
| fields + Event_Start_Time, Event_End_Time, Request_API_Name, Sub_ID_Number
| `FieldsRename`]
We have an internal bug filed around this behavior. Please file a case with splunk support to get more information and help us prioritize this issue.
For those of you who changed the limits.conf. The job is most likely still running in the background, take a look at the job manager. I would also expect these searches to work better on the CLI.
do we have a fix on this issue ? i'm seeing the same issue on a pivot report using the data model. we had modified the limit.conf setting, but it didnt helps. Any advise would be greatly appreciated !!
Are there any updates on the status of this internal bug?
Same here. Is anyone going to address this question?
I have the same problem too. Tuning up the limits.conf file does not fix the problem.
I also have the same problem, modifying the limits.conf still doesn't work, Is this a bug ??
You can modify the settings that affect subsearch timeouts in limits.conf
-- edit --
It depends. One location to edit (or create) this file would be:
$SPLUNK_HOME/etc/system/local/limits.conf
You may wish to read more about configuration files to learn more. .
Sorry but where is that?
You can adjust the setting in the limits.conf configuration file.
I have updated my search to my question
Are you doing this in a subsearch in a search command, or a in join command, or an append command? These each take a different setting.
I have updated my answer to my question ...