Splunk Search

query error tstat

havatz
Explorer

Hi when i ran this query:

 

 

"| tstats count, values(\"Authentication.tag\") as tag from datamodel=Authentication where ((nodename = Authentication.Failed_Authentication) \`hdsi_repeat_failed_logins_alert_filter\`) groupby \"Authentication.src\", \"Authentication.dest\", \"Authentication.user\", _time span=1s | \`drop_dm_object_name(\"Authentication\")\` | eventstats sum(count) as src_count by src | eval user=lower(mvindex(split(user,\"@\"),0)) | search NOT [ search earliest=-24h@h tag=modify tag=password user=* NOT user=\"*$\" | eval user=lower(mvindex(split(user,\"@\"),0)) | dedup user | fields user ] | lookup hdsi_user_login_statistics.csv src, dest, user | eval p_fail_user = exact(failcountbyuser / totalcountbyuser) | eval p_fail_src=exact(failcountbysrc / totalcountbysrc) | where (p_fail_user < 1 AND ( p_fail_src > 0.05 OR p_fail_user > 0.1)) OR isnull(p_fail_user) | eval safeness=case(tag==\"privileged\", 0.25, tag==\"mail\", 6, tag==\"disabled_or_locked_out_authentication\", 8, tag==\"known_scanner_src\",20) | fillnull value=1 safeness | transaction maxspan=10m src,dest,user | stats values(dest) as dest, values(user) as user, sum(count) as eventcount, min(_time) as _time, max(duration) as duration, sum(safeness) as safeness, dc(dest) as dest_count by src | eval thresh = (safeness*30)/dest_count | where eventcount > thresh"

Im getting this error:

"type": "INFO",
"text": "The limit has been reached for log messages in info.csv. 25 messages have not been written to info.csv. Refer to search.log for these messages or limits.conf to configure this limit."

someone can help with that please ?

Labels (1)
0 Karma

ashajambagi
Communicator

Hi @havatz 

 You can refer to below document for the parameter “max_infocsv_message”.You may need to fine tune the parameter.

https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf


Also,Is there a specific reason for escaping those  “ “ in the query ?

0 Karma

havatz
Explorer

I ran API queries so I had to add \ to escape the ".

I must change the config for this parameter to run this query?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...