IBM Security QRadar SOAR

 View Only
  • 1.  Additional information: Function result exceeds the maximum size of 5 MB.

    Posted Wed September 07, 2022 07:16 AM
    Hello everyone,

    I'm using the parse Email Function from the Utilities App and I've been getting this error: "Additional information: Function result 'playbook.functions.results.fn_parseattachedemail_output' exceeds the maximum size of 5 MB" when dealing with Emails that have an Attachment.

    Is there a way to raise the limit of a function output or is there another way i could parse large mails without handing the attachments to the results but still getting them as artifacts?


    ------------------------------
    Benjamin Walden
    ------------------------------


  • 2.  RE: Additional information: Function result exceeds the maximum size of 5 MB.

    Posted Wed September 07, 2022 04:45 PM
    There is a config var - "workflow.max_single_prop_mb" that limits the max allowed functions results size. Having said it may not be a good idea to set this value too high as these results are cached in memory during the execution of the playbook/workflow.

    ------------------------------
    Ram Badvelu
    ------------------------------



  • 3.  RE: Additional information: Function result exceeds the maximum size of 5 MB.

    Posted Thu September 08, 2022 01:28 AM
    Thank you for your answer.
    Can you tell me where i can find the right config to edit this value? I would at least want to try it on our test environment.

    ------------------------------
    Benjamin Walden
    ------------------------------



  • 4.  RE: Additional information: Function result exceeds the maximum size of 5 MB.

    Posted Thu September 08, 2022 08:39 AM
    You can use the resutil tool for changing the config vars.

    e.g., set the workflow.max_single_prop_mb value to 6 MB

    sudo resutil configset -key workflow.max_single_prop_mb -ivalue 6


    ------------------------------
    Ram Badvelu
    ------------------------------



  • 5.  RE: Additional information: Function result exceeds the maximum size of 5 MB.

    Posted Fri September 09, 2022 01:25 AM
    Thank you Ram. It worked like a charm.
    I will monitor our environment to make sure the new value doesn't break anything.

    ------------------------------
    Benjamin Walden
    ------------------------------