why i'm getting this message ?
i have data source configured as generic and Support Generic Syslogs configured with "do nothing "
i wrote a parser that works fine , but still for some events i'm getting this message.
any idea ?
It may be a combination of factors. Perhaps you've had Support Generic Syslogs enabled in the past but disabled it before your rule table filled (1 million entries), but your new parser pushed it to the max. Regardless, you will want to open up your Policy Manager | Data Source on the right and try to determine what events blew up your table. I would start by scrolling/searching through the list for a few hundred thousand of something so I understood the root cause and made sure it was handled.
If you're writing you're own parsing rules and using the Signature Name field, make sure that whatever populates that doesn't include a dynamic value like username, time, UUID, or something that's going to cause it to generate a new autolearned rule every time there is a variation. From there, you will want to delete the autolearned rules. You can delete all of the autolearned rules for a particular data source for a configurable amount of time. After autolearned events are deleted, some of the event names will show up as just '0' until the event is seen and autolearned again but this should be temporary for most events but dependent upon your specific environment.
Worst case is that you delete, the autolearned rules without handling the data source that created them, so your rule table fills up again and you start the process over.