Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After updating an app, why am I getting search error "The limit has been reached for log messages in info.csv"?

danieldu
Engager
‎11-18-2015 10:56 AM

After I updated an app, why am I getting these search errors?

The limit has been reached for log messages in info.csv. 34 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit.
[LOG2] Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
[LOG2] The limit has been reached for log messages in info.csv. 13 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit
Reply

Michael
Contributor
‎12-05-2019 01:20 PM

FYI, I just noticed this with 7.3.1 and 7.3.3 today...

No apps were recently updated, changed, added, removed...

It does not involve a lookup table.

info.csv exists nowhere on in the environment -- and nothing appears to be referring to it...

I'm going push the bundle tomorrow morning using the "max_infocsv_messages = 1000" setting mentioned below. I'll let you know what happens...

0 Karma
Reply

koshyk
Super Champion
‎03-15-2018 04:11 AM

Though this question has been here for a while, please find some info if its helpful.

As per limits.conf documentation ..

* This stanza controls logging of messages to the info.csv file.
* Messages logged to the info.csv file are available to REST API clients  and Splunk Web. Limiting the messages added to info.csv will mean that these messages will not be available in the UI and/or the REST API.

The reason is max_infocsv_messages is 20 (in 6.5x version default settings) which is too small imo. Though this is not a big issue, the best way to solve is to create an app of your own (eg MY_limits_settings) and put an entry in local/limits.conf of something like
[search_info]
infocsv_log_level = INFO
max_infocsv_messages = 1000

You need to ensure the app MY_limits_settings is pushed to Indexer tier if its cluster.
If you think an App have changed the settings, do a btool dump and check for the values 

/opt/splunk/bin/splunk cmd btool limits list --debug > /tmp/limits.btool

and check for the stanza [search_info] , parameter max_infocsv_messages and the app which created the value.

Reply

sjohnson_splunk
Splunk Employee
Splunk Employee
‎05-24-2016 07:20 AM

You might mention what app you updated that produced these errors.

I suspect that there is an issue with one or more of the lookup tables in the updated app. Either the lookup table name is wrong in a search, or the table is now missing or there is a field in the table that is missing or the name is incorrect.

You can look inside the search artifact at the info.csv and you should see some clue what condition is generating the errors.

0 Karma
Reply

kamal_jagga
Contributor
‎09-20-2017 12:25 PM

I am also getting the same error. And could not find any reference of info.csv anywhere. Kindly advise.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...