To be honest, I don't know. It could be any one or more of these (or something else). [searchresults] * This stanza controls search results for a variety of Splunk search commands. maxresultrows = <integer> * Configures the maximum number of events are generated by search commands which grow the size of your result set (such as multikv) or that create events. Other search commands are explicitly controlled in specific stanzas below. * This limit should not exceed 50000. * Default: 50000 or this Distributed search # This section contains settings for distributed search connection # information. max_combiner_memevents = <integer> * Maximum size of the in-memory buffer for the search results combiner. The <integer> is the number of events. * Default: 50000  or this Results storage # This section contains settings for storing final search results. max_count = <integer> * The number of events that can be accessible in any given status bucket (when status_buckets = 0). * The last accessible event in a call that takes a base and count. * NOTE: This value does not reflect the number of events displayed in the UI after the search is evaluated or computed. * Default: 500000 or this [anomalousvalue] maxresultrows = <integer> * Configures the maximum number of events that can be present in memory at one time. * Default: The value set for 'maxresultrows' in the [searchresults] stanza, which is 50000 by default.      ... View more

I'm waiting on the same thing. This app is holding us from upgrading to splunk version 8. Anyone know when this is going to be released? Splunkbase just indicates not yet for version 8. ... View more

Hi, Thanks for the answer. I've already tried this solution (before posting the question) with one line per port. But the amount of combinations is huge - millions of lines which won't work at all. That's why I need another solution - a solution that can handle this ranges instead of "unfolding" all combinations. ... View more

I had encountered another issue. Adaptive response action GUI on my search head says that the search hasn't returned any results to populate phantom instance & playbook dropdown. After a little research, I had figured out that the search is delegated to the indexer, which doesn't have the phantom instance configured. To solve it, search need to be run locally, on the search head or phantom needs to be configured on indexing layer as well. I took the easy way and changed the runphantomplaybook.html and sendtophantom.html and add splunk_server=local before the pipe. ... View more

Disclaimer: I'm an employee at OpsGenie 🙂 OpsGenie App uses the storage/passwords endpoint for storing OpsGenie API Key securely. Hence, you need the assign the "list_storage_passwords" capability to the desired user according to this document:https://docs.splunk.com/Documentation/Splunk/7.0.1/Security/Rolesandcapabilities Hope that helps, Bener ... View more