![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 99%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,199 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Khanna, Keshav,
Thank you for posting your query on Microsoft Q&A.
Yes, you are correct—there is a limitation on summary rules where the maximum result set size is 100MB.
To address this limitation, you might consider adding a time filter to your query. The time range applied in the query will be the intersection of the filter and the bin size. You can refer to the following documentation for more details: Create or update a summary rule
Instead of processing all logs at once, partition your data based on smaller time intervals. For instance, if you're currently summarizing logs for an entire day, try breaking it down into shorter intervals, such as an hour or 30 minutes. This approach will reduce the amount of data processed in each run and help you stay within the size limit.
Please test this approach and let me know the results.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.