After I updated an app, why am I getting these search errors?
The limit has been reached for log messages in info.csv. 34 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit. [LOG2] Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log [LOG2] The limit has been reached for log messages in info.csv. 13 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit
FYI, I just noticed this with 7.3.1 and 7.3.3 today...
No apps were recently updated, changed, added, removed...
It does not involve a lookup table.
info.csv exists nowhere on in the environment -- and nothing appears to be referring to it...
I'm going push the bundle tomorrow morning using the "max_infocsv_messages = 1000" setting mentioned below. I'll let you know what happens...
Though this question has been here for a while, please find some info if its helpful.
As per limits.conf documentation ..
* This stanza controls logging of messages to the info.csv file. * Messages logged to the info.csv file are available to REST API clients and Splunk Web. Limiting the messages added to info.csv will mean that these messages will not be available in the UI and/or the REST API.
The reason is
max_infocsv_messages is 20 (in 6.5x version default settings) which is too small imo. Though this is not a big issue, the best way to solve is to create an app of your own (eg
MY_limits_settings) and put an entry in
local/limits.conf of something like
infocsv_log_level = INFO
max_infocsv_messages = 1000
You need to ensure the app
MY_limits_settings is pushed to Indexer tier if its cluster.
If you think an App have changed the settings, do a btool dump and check for the values
/opt/splunk/bin/splunk cmd btool limits list --debug > /tmp/limits.btool
and check for the stanza
[search_info] , parameter
max_infocsv_messages and the app which created the value.
You might mention what app you updated that produced these errors.
I suspect that there is an issue with one or more of the lookup tables in the updated app. Either the lookup table name is wrong in a search, or the table is now missing or there is a field in the table that is missing or the name is incorrect.
You can look inside the search artifact at the info.csv and you should see some clue what condition is generating the errors.