Deployment Architecture

Why am I getting the following error while doing a search: "The limit has been reached for log messages"

srampally
Path Finder

For 1 week search. It gets to 20,306 of 35,215 events matched and then it gets stuck and gives the following error :

The limit has been reached for log messages in info.csv. 35 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
Tags (2)
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

You can change a parameter in the limits.conf file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:

https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

You can change a parameter in the limits.conf file to get rid of this error, but you will have to make thew value high enough to keep it from giving you the error. Don't make it too high, but enough to fix your problem. The value, I believe, is max_infocsv_message and the default is something like 20. In your case I'd set it to 50, but you may have to experiment. Look at the limits.conf documentation to make sure you are doing it all correctly:

https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf

rohit2301kumar
New Member

I am also getting this error. we have found this stanza on both indexer and search head. Where do I need to increase the value of max_infocsv_messages.

[search_info]
# These setting control logging of error messages to info.csv
# All messages will be logged to search.log regardless of these settings.
# maximum number of error messages to log in info.csv
# Set to 0 to remove limit, may affect search performance
max_infocsv_messages = 20
# log level = DEBUG | INFO | WARN | ERROR
infocsv_log_level = INFO
# Log warnings if search returns no results because user has no
# permissions to search on queried indexes.
show_warn_on_filtered_indexes = false
# Log level of messages when search returns no results because user has
# no permissions to search on queried indexes.
filteredindexes_log_level = DEBUG

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...