Hi when i ran this query:
"| tstats count, values(\"Authentication.tag\") as tag from datamodel=Authentication where ((nodename = Authentication.Failed_Authentication) \`hdsi_repeat_failed_logins_alert_filter\`) groupby \"Authentication.src\", \"Authentication.dest\", \"Authentication.user\", _time span=1s | \`drop_dm_object_name(\"Authentication\")\` | eventstats sum(count) as src_count by src | eval user=lower(mvindex(split(user,\"@\"),0)) | search NOT [ search earliest=-24h@h tag=modify tag=password user=* NOT user=\"*$\" | eval user=lower(mvindex(split(user,\"@\"),0)) | dedup user | fields user ] | lookup hdsi_user_login_statistics.csv src, dest, user | eval p_fail_user = exact(failcountbyuser / totalcountbyuser) | eval p_fail_src=exact(failcountbysrc / totalcountbysrc) | where (p_fail_user < 1 AND ( p_fail_src > 0.05 OR p_fail_user > 0.1)) OR isnull(p_fail_user) | eval safeness=case(tag==\"privileged\", 0.25, tag==\"mail\", 6, tag==\"disabled_or_locked_out_authentication\", 8, tag==\"known_scanner_src\",20) | fillnull value=1 safeness | transaction maxspan=10m src,dest,user | stats values(dest) as dest, values(user) as user, sum(count) as eventcount, min(_time) as _time, max(duration) as duration, sum(safeness) as safeness, dc(dest) as dest_count by src | eval thresh = (safeness*30)/dest_count | where eventcount > thresh"
Im getting this error:
"type": "INFO",
"text": "The limit has been reached for log messages in info.csv. 25 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit."
someone can help with that please ?
Hi @havatz
You can refer to below document for the parameter “max_infocsv_message”.You may need to fine tune the parameter.
https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf
Also,Is there a specific reason for escaping those “ “ in the query ?
I ran API queries so I had to add \ to escape the ".
I must change the config for this parameter to run this query?