What is the a current limit imposed to the number of results returned in the console for a RQL query?
6968
Created On 11/03/21 16:45 PM - Last Modified 01/24/22 23:33 PM
Question
What is the a current limit imposed to the number of results returned in the console for a RQL query?
Environment
- Prisma Cloud
- 21.11.01
Answer
100,000 is the current limit/cap for RQL query results from Investigate page.
Note: If the query takes more than 3 minutes to finish, it will show 'network error' on the Investigate page.
Additional Information
When there are more than 100K of matching events or matches of RQL query from Investigate page, the page will time-out eventually and display nothing as a result. You can verify it by reviewing the network tab in Dev Tools by clicking Chrome menu > More Tools > Developer Tools.
If you have more than 100K results and still need to get the query, please consider the list of suggested workarounds below.
- Restrict the RQL query to a specific 'cloud.account'. This will reduce the amount of data pulled
- Use 'limit search records to' at the end of the RQL query. At this time - Nov 3, the possible option is 1, 10, 100, 1000, and 10,000