Splunk Search

After updating an app, why am I getting search error "The limit has been reached for log messages in info.csv"?

Engager

After I updated an app, why am I getting these search errors?

The limit has been reached for log messages in info.csv. 34 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit.
[LOG2] Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
[LOG2] The limit has been reached for log messages in info.csv. 13 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit

Contributor

FYI, I just noticed this with 7.3.1 and 7.3.3 today...

No apps were recently updated, changed, added, removed...

It does not involve a lookup table.

info.csv exists nowhere on in the environment -- and nothing appears to be referring to it...

I'm going push the bundle tomorrow morning using the "max_infocsv_messages = 1000" setting mentioned below. I'll let you know what happens...

0 Karma

Super Champion

Though this question has been here for a while, please find some info if its helpful.

As per limits.conf documentation ..

* This stanza controls logging of messages to the info.csv file.
* Messages logged to the info.csv file are available to REST API clients  and Splunk Web. Limiting the messages added to info.csv will mean that these messages will not be available in the UI and/or the REST API.

The reason is max_infocsv_messages is 20 (in 6.5x version default settings) which is too small imo. Though this is not a big issue, the best way to solve is to create an app of your own (eg MY_limits_settings) and put an entry in local/limits.conf of something like
[search_info]
infocsv_log_level = INFO
max_infocsv_messages = 1000

You need to ensure the app MY_limits_settings is pushed to Indexer tier if its cluster.
If you think an App have changed the settings, do a btool dump and check for the values

/opt/splunk/bin/splunk cmd btool limits list --debug > /tmp/limits.btool

and check for the stanza [search_info] , parameter max_infocsv_messages and the app which created the value.

Splunk Employee
Splunk Employee

You might mention what app you updated that produced these errors.

I suspect that there is an issue with one or more of the lookup tables in the updated app. Either the lookup table name is wrong in a search, or the table is now missing or there is a field in the table that is missing or the name is incorrect.

You can look inside the search artifact at the info.csv and you should see some clue what condition is generating the errors.

0 Karma

Contributor

I am also getting the same error. And could not find any reference of info.csv anywhere. Kindly advise.

0 Karma