Hi All, Hoping someone out there can help me unravel the mystery I'm currently facing. We have a KV Store that we use to hold MISP values which is checked against when running various security alerts. We have 3 searches that are querying MISP data source and based on the results should add any new entries into the KVStore. Basics of the search we run are below: | misp command to get new records in last 24hrs
| bunnch of evals to format data
| append
[| inputlookup MispKVstore]
| dedup
| outputlookup append=false MispKVstore We have this running 3 times to get details for different types of values - but all are stored in the same KVstore. Issue we are having is, once we reach 50 rows in the KV Store, updates are not being made as expected. Each time the search runs, it will add new entries for that category, but seems to delete / discard the values added by the other searches. All column names are consistent between the searches, I have updated the Max_rows_per_query as we thought we might be being affected by the 50k limit, but this has not resolved the issue. Seeking any tips, tricks, troubleshooting advice anyone is able to give to help get this sorted. Thanks in advance 🙂
... View more