I need to create an outputlookup file with more than 10,000 results. I've looked through the limits.conf examples and I can't find a way to increase the number of results beyond 10K.
Is this possible?
What is the full search? outputlookup itself does not have any results limits, and a limit of 10k would mostly be due to a sort command you may be using. (sort implicitly truncates to the first 10k output rows unless you specify limit=0 as an argument to it)
The search is:
sourcetype="nessus_plugins" | table nessus_id,cve_id,osvdb_id | outputlookup osvdb_cvs_lookup.csv
If I remove the outputlookup part of the search, it still maxes out at 100000 events.