|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics UI
|Issue||The following symptoms are seen:|
Jan 27 10:35:26 logconc NwConcentrator: [Index] [warning] Index key event.desc has reached max capacity of 1000 values and will ignore new values for this slice.
In this case the meta key event.desc is full and cannot contain any more values in this index slice as the maximum number of unique values has been reached.
The issue with meta being seen in the session but not being able to investigate on, is often due to the number of unique meta key values filling up beyond the "Value Max Parameter" specified in the index.
Here we see that the event description key is holding a lot of unique values, that are essentially similar. The values are of the following form:
event.desc = 'postfix/postdrop: warning: mail_queue_enter: create file maildrop/170032.936: no space left on device'
|Notes||More information on customising the index can be found here:|
For an explanation of index slices see the topic of Index Saves here:
More information on the index can be found here.