Solved: auto-finalized after time limit reached

cramasta · ‎02-23-2011

Hello,

I have a saved search set up that uses the append command. The subsearch of the append command give me the following error.

[subsearch]: Search auto-finalized after time limit reached (30 seconds). Results may be incomplete.

I have set up my limits in the local dir so it should work but i still keep getting the error. I dont see anywhere the my local limits.conf or in the default limits.conf any values set for 30 seconds. I have no idea where its getting this limit value from.

My current config splunk cmd btool --debug limits list subsearch [subsearch] maxout = 100000 maxtime = 6000 ttl = 1500

There seems to be a issue that someone else has seen with the appendcols command ignoring the limits.conf file. http://answers.splunk.com/questions/6059/appendcols-subsearch-auto-finalize-ignoring-maxtime-in-limi...

I am running 4.1.5

Appreciate your help.

jrodman · ‎02-23-2011

It seems the append command itself has a 30 second default maxtime. I'm not sure I properly understand the search code, but try

... |append maxtime=600 [search ... ]

View solution in original post

sideview · ‎02-24-2011

Can you post the search you're using? Quite often it seems like you need append or join but we can often show you a better simpler faster way to do the same thing with only stats.

jrodman · ‎02-23-2011

It seems the append command itself has a 30 second default maxtime. I'm not sure I properly understand the search code, but try

... |append maxtime=600 [search ... ]

auto-finalized after time limit reached

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms