For 1 week search. It gets to 20,306 of 35,215 events matched and then it gets stuck and gives the following error :
The limit has been reached for log messages in info.csv. 35 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
You can change a parameter in the limits.conf
file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message
and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:
https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf
You can change a parameter in the limits.conf
file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message
and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:
https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf
I am also getting this error. we have found this stanza on both indexer and search head. Where do I need to increase the value of max_infocsv_messages.
[search_info]
# These setting control logging of error messages to info.csv
# All messages will be logged to search.log regardless of these settings.
# maximum number of error messages to log in info.csv
# Set to 0 to remove limit, may affect search performance
max_infocsv_messages = 20
# log level = DEBUG | INFO | WARN | ERROR
infocsv_log_level = INFO
# Log warnings if search returns no results because user has no
# permissions to search on queried indexes.
show_warn_on_filtered_indexes = false
# Log level of messages when search returns no results because user has
# no permissions to search on queried indexes.
filteredindexes_log_level = DEBUG