Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1567
Views
0
Helpful
2
Replies

StealthWatch limit for number of flow records returned

Go to solution
sammausing
Level 1
Level 1

‎08-17-2020 09:37 PM

Hi Team, 

May I know what is the maximum limit for the records to be returned from a query. Even if I set a higher number for max records returned in my flow query on WebUI or uncheck the record limit in desktop client, it does not return flows more than around 200k at a time.

Is there any setting on SMC which can remove the limit for number of flow returned.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kyoshiik
Cisco Employee
Cisco Employee

‎08-18-2020 01:27 AM - edited ‎08-18-2020 01:28 AM

Do you run a parallel job(Flow Search query) at the same time?

Online help explain it.

 

  • You can perform a flow search for up to 400,000 flows in one search.
  • Flow searches with a Max Records Returned of 10,000 or less, as well as all top report jobs, run in a different queue from that of flow searches with a Max Records Returned of 20,000 or more.
  • You can run a maximum of four jobs at the same time if the Max Records Returned for the flow search is 10,000 or less. It does not matter what the Records Returned value is for a top report job.
  • You can run only one flow search at a time if the Max Records Returned is 20,000 or more.

Also, you can select how many "max record returned" in Flow Search.

I attached the image file.

If you select 20k+, you need to download csv file to get results.

 

If it still doesn't reach your expected number, please open TAC case.

View solution in original post

Preview file
330 KB
0 Helpful
2 Replies 2

Go to solution
kyoshiik
Cisco Employee
Cisco Employee

‎08-18-2020 01:27 AM - edited ‎08-18-2020 01:28 AM

Do you run a parallel job(Flow Search query) at the same time?

Online help explain it.

 

  • You can perform a flow search for up to 400,000 flows in one search.
  • Flow searches with a Max Records Returned of 10,000 or less, as well as all top report jobs, run in a different queue from that of flow searches with a Max Records Returned of 20,000 or more.
  • You can run a maximum of four jobs at the same time if the Max Records Returned for the flow search is 10,000 or less. It does not matter what the Records Returned value is for a top report job.
  • You can run only one flow search at a time if the Max Records Returned is 20,000 or more.

Also, you can select how many "max record returned" in Flow Search.

I attached the image file.

If you select 20k+, you need to download csv file to get results.

 

If it still doesn't reach your expected number, please open TAC case.

Preview file
330 KB
0 Helpful

Go to solution
sammausing
Level 1
Level 1
In response to kyoshiik

‎08-20-2020 07:25 PM

Thanks! I have already performed the 400,000 flow search several times but the search returns only 200k+ records. I am on v6.10.5. Does this make any difference. I will open a TAC for this.
0 Helpful
Customers Also Viewed These Support Documents