Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1283184202

RNB
Path Finder
‎08-31-2010 03:09 PM

I started seeing this error yesterday, and the Splunk>answers responses so far don't seem to fit a pattern I am seeing. I seem to get this after I do a lot of searches within a specific time frame, such as last 24 hours. It seems like the "IndexScopedSearch" is retaining/accumulating timestamped data. Is this Index used only to store search results?

I have attempted to see what events were logged at time 1283183159, but I get zero results with searches such as time=1283183159, _time=1283183159 or timestamp=1283183159. How do I find events at the specified time?

Thank you Randy

Tags (4)
0 Karma
Reply

chicodeme
Communicator
‎10-18-2010 09:12 PM

I got this "Error in 'IndexScopedSearch': The search failed. More than 125000 events found at time 1287172432." and an error notice that I went over my indexing volume license. So, I am trying to figure out what happened and cannot find the source that generated all these 'events'.

0 Karma
Reply

RNB
Path Finder
‎08-31-2010 03:53 PM

I can't seem to comment on Answers in Internet Explorer 8 (32bit) or FireFox 3.6.8.

I have read that answer before posting, but it does not seem to relate. If it does relate, I am missing the point. I seriously doubt that we have any single host producing 100,000 messages per second.

I have quite a number of successful searches prior to receiving this error. It seems like I hit some limit on searches and this error appears. The search time frame is the last 24 hours, and I do not see any recent events that would number more than a dozen or so over the last 15 minutes after first seeing the error.

It might be an internal error, but is there a workaround such as clearing the IndexScopedSearch index? Since I don't know if that index is temporary or not, I don't know if that is a good or bad thing to do. If it is okay to clear out the index, I don't know how to do that.

Thank you Randy

Reply

Lowell
Super Champion
‎01-06-2011 02:54 PM

BTW, you need a higher score before you can add a comment; it's not your browser.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2010 03:20 PM

This answer explains what you are seeing I think. It is possible that the data is getting timestamped incorrectly by Splunk, but we'd need more information.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...