https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549561#M2321 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208028">@jfernandes1</a>!</P> <P>Thanks for your reply. It was very helpful for the purpose of the post.</P> <P>&nbsp;</P> <P>However, I would like to know if there is a way to create a loop to fetch all events to the end. I mean, I just created a built-in loop in a subplaybook that increments the page from 0 to 2. This method allows me to double search and retrieve 20k events, but what if there were 50k waiting to be retrieved?</P> <P>&nbsp;</P> <P>My method allows to search, introducing a static parameter, those events. However, in the worst case, if instead of 50k, there were 20k, you would be making 3 queries that will not be efficient since there will be no results.<BR />In the same way that if there were 100k events (instead of 50k), we would be "losing" events in the report.</P> Mon, 17 Jul 2023 11:38:31 GMT SergioPalacios 2023-07-17T11:38:31Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549365#M2318 <P>Hello everyone!</P> <P>&nbsp;</P> <P>I am currently using the Elasticsearch integrations to retrieve events related to an incident or events for a specific report and generally have no issues with that. However, sometimes some "reports" have queries that retrieve +10k events.</P> <P>&nbsp;</P> <P>Looking at the Elasticsearch integration, I can see that the maximum event count limit is 10k and I'm wondering if there is an "easy" solution to this.</P> <P>&nbsp;</P> <P>I know that the Elasticserach API, when you need to search for more than 10k events, gives you a scroll_id that you can do a second query to and retrieve the rest of the events, but I haven't seen anything about this parameter or situation in the integration options by Elasticsearch</P> <P>&nbsp;</P> <P>Is there a solution for this without developing a custom script based on the same Elasticsearch integration?</P> <P>&nbsp;</P> <P>Thanks in advance.</P> Fri, 14 Jul 2023 11:02:13 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549365#M2318 SergioPalacios 2023-07-14T11:02:13Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549461#M2320 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/299305">@SergioPalacios</a>,</P> <P>&nbsp;</P> <P>Did you try the "page" option.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-07-17 at 10.40.36 am.png" style="width: 773px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/51621i28790BA47C86CA2E/image-dimensions/773x121/is-moderation-mode/true?v=v2" width="773" height="121" role="button" title="Screenshot 2023-07-17 at 10.40.36 am.png" alt="Screenshot 2023-07-17 at 10.40.36 am.png" /></span></P> <P>&nbsp;</P> <P>You can run the search command multiple times till the returned size is less than 10k. Please note that we not recommend storing large amounts of data inside the context. If not converted automatically, please save this as a file.&nbsp;</P> Mon, 17 Jul 2023 00:42:31 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549461#M2320 jfernandes1 2023-07-17T00:42:31Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549561#M2321 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/208028">@jfernandes1</a>!</P> <P>Thanks for your reply. It was very helpful for the purpose of the post.</P> <P>&nbsp;</P> <P>However, I would like to know if there is a way to create a loop to fetch all events to the end. I mean, I just created a built-in loop in a subplaybook that increments the page from 0 to 2. This method allows me to double search and retrieve 20k events, but what if there were 50k waiting to be retrieved?</P> <P>&nbsp;</P> <P>My method allows to search, introducing a static parameter, those events. However, in the worst case, if instead of 50k, there were 20k, you would be making 3 queries that will not be efficient since there will be no results.<BR />In the same way that if there were 100k events (instead of 50k), we would be "losing" events in the report.</P> Mon, 17 Jul 2023 11:38:31 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/elasticsearch-integration-events-return-limit/m-p/549561#M2321 SergioPalacios 2023-07-17T11:38:31Z