11/7/2022 2 Comments Splunk limits.conf![]() The default limit is set to 1000 records. If there is a large number of indicators, you can increase the amount of indicators processed in a single API call. Slow Performance Due to Huge Amount of Data: # specify the timeout for file transfer in seconds # use d for days, h for hours, m for minutes, s for seconds suffix to define #period of the time # maximum amount of time that the execution of an action is allowed If the alert action is aborted, you can increase the timeout the action.Ĭreate $SPLUNK_HOME/etc/apps/TA-checkpoint_response/local/alert_nf and paste the below contents. In the $SPLUNK_HOME/etc/system/local directory and save.įor more information, you can refer “” section mentioned here. # provide max number of rows returned per single query # provide value in mb according to the volume of your data If the size of the data is larger, create a nf file The default maximum size of the result that can be fetched in single query is 50 MB. When the action is executed, all the records are fetched from KV Store and the csv file is created with that data. The app uses KV Store to maintain the indicators and their metadata. ![]() To get more details of the failure, view the checkpoint_upload_ioc_modalert.log file located at $SPLUNK_HOME/var/log/splunk or execute this query: index=cim_modactions sourcetype=modular_alerts:checkpoint_upload_ioc
2 Comments
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |