Hi, the doc says a list can support up to 100k items. However I found that it throws an error when search against a list of over 1k items.
Here’s the query:
class=paloalto_traffic dstipv4: $malicious_cidrs1
If the list “malicious_cidrs1” contains over 1k IOCs, it will throw this error:
Elasticsearch StatusException[Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed]]; nested: [Elasticsearch exception[type=too_many_clauses, reason=too_many_clauses: maxClauseCount is set to 1024]]
This seriously limits the goal of my task. Please advise.