limits.conf

limits.conf

Use limits.conf to configure limits for search commands.

limits.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains possible attribute/value pairs for configuring limits for search commands.
#
# There is a limits.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a limits.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 
# limits.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing. 
# Improperly configured limits may result in splunkd crashes and/or memory overuse.
* Each stanza controls different parameters of search commands.
[searchresults]
* This stanza controls search results.
	
maxresultrows = <integer>
* Configures the maximum number of events that can be present in memory at one time.
* Defaults to 50000.
tocsv_maxretry = <integer>
* Maximum number of times to try in the atomic write operation.
* 1 = no retries.
* Defaults to 5.
tocsv_retryperiod_ms = <integer>
* Retry period.
* Defaults to 500.
[subsearch]
* This stanza controls subsearch results.
maxout = <integer>
* Maximum number of results to return from a subsearch.
* Defaults to 100.
maxtime = <integer>
* Maximum number of seconds to run a subsearch before finalizing
* Defaults to 10.
timeout = <integer>
* Maximum time to wait for an already running subsearch.
* Defaults to 30.
ttl = <integer>
* Time to cache a given subsearch's results.
* Defaults to 300.
[anomalousvalue]
maxresultrows = <integer>
* Configures the maximum number of events that can be present in memory at one time. 
* Defaults to searchresults::maxresultsrows (eg 50000).
	
maxvalues = <integer>
* Maximum number of distinct values for a field.
* Defaults to 100000.
maxvaluesize = <integer>
* Maximum size in bytes of any single value (truncated to this size if larger)
* Defaults to 1000.
[associate]
maxfields = <integer>
* Maximum number of fields to analyze.
* Defaults to 10000.
maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 10000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[ctable]
* This stanza controls the contingency, ctable, and counttable commands.
maxvalues = <integer>
* Maximum number of columns/rows to generate (i.e. the maximum distinct values for the row field and column field)
* Defaults to 1000.
[correlate]
maxfields = <integer>
* Maximum number of fields to correlate.
* Defaults to 1000.
[discretize]
* This stanza set attributes for bin/bucket/discretize.
maxbins = <integer> 
* Maximum number of buckets to discretize into.
* If maxbins is not specified or = 0, it defaults to searchresults::maxresultrows (eg 50000).
[inputcsv]
mkdir_max_retries = <integer>
* Maximum number of retries for creating a tmp directory (with random name as subdir of SPLUNK_HOME/var/run/splunk)
* Defaults to 100.
[kmeans]
maxdatapoints = <integer>
* Maximum data points to do kmeans clusterings for.
* Defaults to 100000000
[kv]
maxcols = <integer>
* When non-zero, the point at which kv should stop creating new fields.
* Defaults to 512.
[metrics]
maxseries = <integer>
* The number of series to include in the per_x_thruput reports in metrics.log.
* Defaults to 10.
[rare]
maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (eg 50000).
maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults 100000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* defaults to 1000.
[report]
maxresultrows = <integer>
* Maximum number of result rows to create.
* Defaults to 300.
[restapi]
maxresultrows = <integer>
* Maximum result rows to be return by /events or /results getters from REST API.
* Defaults to 50000.
[search]
ttl = <integer>
* How long searches should be stored on disk once completed.
* Defaults to 86400.
status_buckets = 300
* The approximate maximum number of timeline buckets to maintain.
* Defaults to 300.
max_count = <integer>
* The last accessible event in a call that takes a base and bounds.
* Defaults to 10000.
min_prefix_len = <integer>
* The minimum length of a prefix before a * to ask the index about.
* Defaults to 1.
max_results_raw_size = <integer>
* The largest "_raw" volume that should be read in memory.
* Defaults to 100000000.
cache_ttl = <integer>
* The length of time to persist search cache entries (in seconds).
* Defaults to 300.
[slc]
maxclusters = <integer>
* Maximum number of clusters to create.
* Defaults to 10000.
[stats]
maxresultrows = <integer>
* Maximum number of result rows to create. 
* If not specified, defaults to searchresults::maxresultrows (eg 50000).
maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 10000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[thruput]
maxKBps = <integer>
* If specified and not zero, this limits the speed through the thruput processor to the specified rate in kilobytes per second.
[top]
maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (eg 50000).
maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults to 100000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[inputproc]
max_fd = <integer>
* Maximum number of file descriptors that Splunk can use in the Select Processor.
* The maximum value allowed is the top number of file descriptors per process / 2.
* Defaults to 32.
time_before_close = <integer>
* Modtime delta required before Splunk can close a file on EOF.
* Tells the system not to close files that have been updated in past <integer> seconds.
* Defaults to 5.
fishbucketSyncTime = <integer>
* Frequency at which the fishbucket DB queue is flushed to disk. 
* Default is 10 seconds.
tailing_proc_speed = <integer>
* Number of non-input directory entries Splunk will traverse before sleeping.
* Controls how actively Splunk will traverse blacklisted files, directories, and other excluded files.
* Increasing this setting increases Splunks use of CPU and speeds up the location of included/non-blacklisted files for indexing. 
* Defaults to 1, contact Splunk Support for guidance in setting this value any higher. 
* This setting is only available in 3.4.11 and later. 

limits.conf.example

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0 
#
# This file contains an example limits.conf.
#
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing. 
# Improperly configured limits may result in splunkd crashes and/or memory overuse.
#
# To use one or more of these configurations, copy the configuration block into
# limits.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to 
# enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
[searchresults]
maxresultrows = 50000
# maximum number of times to try in the atomic write operation (1 = no retries)
tocsv_maxretry = 5
# retry period is 1/2 second (500 milliseconds)
tocsv_retryperiod_ms = 500
[subsearch]
# maximum number of results to return from a subsearch
maxout = 100
# maximum number of seconds to run a subsearch before finalizing
maxtime = 10
# maximum time to wait for an already running subsearch
timeout = 30
# time to cache a given subsearch's results
ttl = 300
[anomalousvalue]
maxresultrows = 50000
# maximum number of distinct values for a field
maxvalues = 100000
# maximum size in bytes of any single value (truncated to this size if larger)
maxvaluesize = 1000
[associate]
maxfields = 10000
maxvalues = 10000
maxvaluesize = 1000
# for the contingency, ctable, and counttable commands
[ctable]
maxvalues = 1000
[correlate]
maxfields = 1000
# for bin/bucket/discretize
[discretize]
maxbins = 50000 
# if maxbins not specified or = 0, defaults to searchresults::maxresultrows
[inputcsv]
# maximum number of retries for creating a tmp directory (with random name in SPLUNK_HOME/var/run/splunk)
mkdir_max_retries = 100
[kmeans]
maxdatapoints = 100000000
[kv]
# when non-zero, the point at which kv should stop creating new columns
maxcols = 512
[rare]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000
[report]
maxresultrows = 300
[restapi]
# maximum result rows to be return by /events or /results getters from REST API  
maxresultrows = 50000
[search]
# how long searches should be stored on disk once completed
ttl = 86400
# the approximate maximum number of timeline buckets to maintain
status_buckets = 300
# the last accessible event in a call that takes a base and bounds
max_count = 10000
# the minimum length of a prefix before a * to ask the index about
min_prefix_len = 1
# the largest "_raw" volume that should be read in memory
max_results_raw_size = 100000000
# the length of time to persist search cache entries (in seconds)
cache_ttl = 300
[slc]
# maximum number of clusters to create
maxclusters = 10000
[stats]
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 1000
[top]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000
[inputproc]
max_fd = 32
time_before_close = 5

• Was this topic useful?
• Post a comment