Splunk 索引范围搜索和默认提取时间错误解决

Splunk Enterprise. Version: 7.2.3. Build: 06d57c595b80.

New dataset of a 70 MB log file. The timestamp of the log file was based on seconds the device operated, not a traditional month, day, year, etc… When I ingested the file to Splunk, it was assigned the default timestamp of the time of ingest since there was no discernible timestamp. I wanted to round the time to the nearest tenth of a second since further granularity is not needed at this point:

index=main source="03182019.csv"
| eval appTime=round(time)
| stats c by appTime
| sort appTime

When I try doing this search I receive this error:
Error in ‘IndexScopedSearch’: The search failed. More than 1000000 events found at time 1553486400.
Understandably, this is a lot of events but is there no way to increase the limit so searches like this can be run? Currently, it only returns chunks of the data and there are large amounts of it missing.

answer：
We are experiencing this issue when creating summaries with more than 1M results…

解决方法

修改$SPLUNK_HOME/system/local/server.conf配置文件修改下述参数

max_content_length = 99999999999
// 最大搜索长度

问题描述

在进行数据采集时sourcetype设置的_time字段提取规则有误，没有提取到相关的内容。

Splunk community 问题链接