Deployment Architecture

Why am I getting the following error while doing a search: "The limit has been reached for log messages"

srampally
Path Finder

For 1 week search. It gets to 20,306 of 35,215 events matched and then it gets stuck and gives the following error :

The limit has been reached for log messages in info.csv. 35 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
Tags (2)
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

You can change a parameter in the limits.conf file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:

https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

You can change a parameter in the limits.conf file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:

https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf

rohit2301kumar
New Member

I am also getting this error. we have found this stanza on both indexer and search head. Where do I need to increase the value of max_infocsv_messages.

[search_info]
# These setting control logging of error messages to info.csv
# All messages will be logged to search.log regardless of these settings.
# maximum number of error messages to log in info.csv
# Set to 0 to remove limit, may affect search performance
max_infocsv_messages = 20
# log level = DEBUG | INFO | WARN | ERROR
infocsv_log_level = INFO
# Log warnings if search returns no results because user has no
# permissions to search on queried indexes.
show_warn_on_filtered_indexes = false
# Log level of messages when search returns no results because user has
# no permissions to search on queried indexes.
filteredindexes_log_level = DEBUG

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...