This page lists the various limits and standard operating parameters of Next-Gen SIEM. See Best Practice for best practices relative to ingest with the Ingest API.
| Limit | Value |
|---|
| Live query memory | 1 GB |
| Search API job timeout | 90 seconds |
| Max query results | 1,000,000 |
To prevent a search API timeout, keep a job running by calling Get search results with the job ID every 60-90 seconds. Requests to query jobs canceled for inactivity result in an HTTP 404 status. The result limit is lower when certain functions are used.
| Limit | Value |
|---|
| Max active scheduled searches + correlation rules | 750 |
| Max search runtime | 60 minutes |
| Max concurrent scheduled searches + rules | 30 |
| Max detections per correlation rule execution | 50 |
Exceeding the max search runtime will time out the search. If this happens frequently, consider optimizing the query. If queue exceeds the concurrency limit, there may be execution delays — consider reducing frequency. Exceeding the detection limit triggers auto-disablement of the rule — set trigger type to Summary instead of Verbose, or update the query to return fewer results.
| Limit | Value |
|---|
| Max events/detections in a case (Workbench) | 100 |
| Max events in a detection | 500 |
Beyond these limits, attempting to add additional events or detections will fail. For detections, only the first 500 events are included and an info message is added to the Details view.
| Limit | Value |
|---|
| Max Action result size | 10 MB |
| Max data per ingestion action execution | 950 KB |
| Execution log retention | 90 days |
| Max Loop iterations per workflow | 100,000 |
| Max rows per search result (NG-SIEM integration) | 10,000 |
| Minimum scheduled workflow granularity | 1 hour |
| Limit | Value |
|---|
| Max fields per event | 8,000 |
| Max event size | 1 MB |
| Max CSV lookup file size | 200 MB |
| Max JSON lookup upload size | 100 MB |
| Max file upload size | 2,048 MB |
During ingest, fields are sorted alphabetically and the first 8,000 are parsed; the remainder are dropped. The @rawstring field is not modified and will contain all data. When the event size max is reached, fields are removed entirely and @rawstring is truncated with ... appended. Only @rawstring, @timestamp, and @timezone are retained when truncation occurs.
| Limit | Value |
|---|
Default rdns() events | 5,000 |
Max rdns() events | 20,000 |
Default groupBy() / selfJoin() limit | 20,000 rows |
Max groupBy() limit | 200,000 |
Max events in tail(), head(), sort() | 20,000 |
collect() mapper memory (top-level) | 10 MiB |
collect() mapper memory (subquery/subaggregator) | 1 MiB |
