Usage limits
- Former user (Deleted)
- Laszlo Frazer
- Julio Vargas
- Former user (Deleted)
Ingestion
The maximum size of a single event is 32 MB. Arrays should be sent to Devo as separate elements.
The number of collectors running in the Cloud Collector Application is limited. Contact us to request an increase.
The number of pods assigned to a collector running in the Cloud Collector Application is limited. Contact us to request an increase.
Query engine
When these limits are reached, the query is cancelled and error code 109 is returned.
Regular expression
There is a limit based on the number of steps required by a regular expression. The limit depends on the string size.
In many cases, this limit can be avoided by using the has and split operations instead of regular expressions. JSON objects should be processed with jsonparse.
Maximum memory usage
There is a limit in the amount of memory that can be used to aggregate in queries containing group. This limit depends on the number of queries running.
Memory depletion is usually caused by expressions such as group by source_ip, destination_ip which create large lists.
Subqueries
Memory
32 KB for a single subquery
64 KB for all subqueries
CPU
10 minutes
Execution time
20 minutes
These limits can often be avoided by replacing the subquery with a query lookup. To query data from multiple tables without a subquery, use a custom table.
Memory limits for aggregations that create complex data types
collect, collectSorted, collectDistinct, percentile operations
100,000 elements
Alerts
There is a limit on the number of alert rules running in a domain. Contact us to request an increase.
In a rolling alert, the “Check last” setting may not be more than 120 times the “Run every” setting.
In an each alert containing a subquery, the “Internal period” setting may not be more than 120 times the “External period” setting. The external period is 1 minute, or for queries with a time based grouping, the duration of the grouping.
When retrieving a triggered alert from the “Alerts” tool or API, at most 100,000 alerts can be retrieved. No more than 90 days of alerts can be retrieved at once.
When an alert triggers, it may write up to 65 KB of metadata to the extraData field.
Alert rate limits override anti-flooding policies. Use time-based grouping to reduce the alert rate if these policies are a concern.
Priority | Maximum alerts in five minutes |
|---|---|
Very high | 1000 |
High | 500 |
Other | 100 |
Aggregation tasks
10 running aggregation tasks
Data Search web application limits
Limits can be configured in domain preferences. To prevent memory depletion, there is a fixed 20 MB limit on the size of events displayed in Data Search. Typically, events bigger than 1 MB are arrays of events. Events should be sent to Devo as single array elements. To troubleshoot the ingestion of huge events, use the query API to retrieve them. The error message is
One or more events weren't retrieved
Lookups API Limits
Action type | Description |
|---|---|
General | Lookup size: 8GB |
General | Lookup rows: 33,554,432 |
Uploading lookups via API | Lookup size: 25 MB |
Uploading lookups via S3 | General limits |
Uploading lookups via query | Lookup size: 8 GB |