How can I increase the output count limit for the ...

ctaf · ‎01-23-2017

Hi,

I have a search that is using the "script" command but this search is exceeding a limit as you can see:

Is there a way to increase this limit?
I tried maxinputs of the commands.conf file but without any luck.

Any guess?
Thank you.

gcusello · ‎01-23-2017

Hi ctaf,
could you share your search? because maybe the problem is in another parameter (e.g. sort is limited to 10k events) and there are other parameters to set (e.g. maxresultrows or maxresultrows or subsearch_maxout in join, etc...) in limits.conf.
Bye.
Giuseppe

ctaf · ‎01-23-2017

It's quite simple:

 search index=XXX | table XXXX  | stats XXX | lookup XXX | script python YYYY arg

There is no join or sort...

I saw maxresultrows but there is no "script" stanza...

gcusello · ‎01-23-2017

if you don't use script command, have you always the same limit?
in addition, you don't need to use the table command before a stats command (it only reduces speed of your search).
Bye.
Giuseppe

ctaf · ‎01-23-2017

There is no command.script component if I don't use it...

gcusello · ‎01-23-2017

Have you seen the limits in command.conf file for your script use?
There are:

maxinputs = <integer>
* Maximum number of events that can be passed to the command for each
  invocation.
* This limit cannot exceed the value of maxresultrows in limits.conf.
* 0 for no limit.
* Defaults to 50000.

.

maximum data that can be passed to command (0 = no limit)
MAXINPUTS = 50000

Bye.
Giuseppe

ctaf · ‎01-23-2017

Giuseppe,

As I wrote on my original post, I already tried it.

How can I increase the output count limit for the command.script component?

Access Tokens Page - New & Improved

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security