Refine your search:

issue with transactions

0

I had previously posted this question earlier: http://answers.splunk.com/questions/9264/am-i-bumping-into-limits-issue-with-subsearch-results. I've done some deeper digging and I believe I'm having a general issue with transactions.

I've done a simple search over an index for a 15 minute window and come up with 75,000 events returned. When I run a simple search to build the transactions (index=smtp [search index=smtp | fields + messageid] | transaction messageid) I end up receiving the same error:

Error in 'UnifiedSearch': Unable to parse the 'The specified search is too large. Please try to simplify your search.

What can be done to help resolve this issue?

Thanks!

asked 03 Dec '10, 14:57

castle1126's gravatar image

castle1126
1893419
accept rate: 0%

edited 03 Dec '10, 15:06

ftk's gravatar image

ftk ♦
6.8k1728
One Answer:
oldestnewestmost voted
1

It doesn't look like the subsearch is really needed here, since all it appears to be doing is making sure that the messageid field is populated.

How about just:

index=smtp messageid=* | transaction messageid
link

answered 03 Dec '10, 16:38

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

Thanks much! Doing the search that way worked very nicely...

(03 Dec '10, 18:09) castle1126
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×175

Asked: 03 Dec '10, 14:57

Seen: 351 times

Last updated: 03 Dec '10, 16:38

Related questions

How can I limt my search results to the first event returned?

Individual Transactions

Transactions/Stats?

Help with transaction search

Transactions with different field names

suppressing adjacent events with duplicate field values

Transaction over multiple events with same timestamp

help working with radius data (transactions)

Issue w/ 'timechart' and 'transactions'

Copyright © 2005-2012 Splunk Inc. All rights reserved.