Maximum number of events per investigation?

[cloud9-kj]

Hi,
Is there a maximum number of events that can be ingested per investigation?
Recommended size if possible, thanks.
e.g. 100 million events per investigation.
Thanks

[cloud9-kj]

Also, how big plaso file can be uploaded per upload? Is there a limitation?

[berggren]

Hi, there are no limitations set by Timesketch but there are some limitations on the Elasticsearch backend depending on your setup.

• Disk size: You can't save larger indexes than the physical hard disk space.
• There are maximum number (1500) of shards that can be opened.
• There are limitations with Lucene (which Elastic uses) and then Elastic itself, see https://www.elastic.co/guide/en/app-search/current/limits.html and maximum sizes of HTTP requests, hence when we upload files we split them up, to avoid HTTP limitations.

With a decent Elasticsearch deployment you can have hundreds of millions events across many many investigations without issues.