limits.conf

limits.conf

The following are the spec and example files for limits.conf.

limits.conf.spec

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
#
# This file contains possible attribute/value pairs for configuring limits for search commands.
#
# There is a limits.conf in $SPLUNK_HOME/etc/system/default/.  To set custom configurations, 
# place a limits.conf in $SPLUNK_HOME/etc/system/local/. For examples, see 
# limits.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
#
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing. 
# Improperly configured limits may result in splunkd crashes and/or memory overuse.

* Each stanza controls different parameters of search commands.

[searchresults]
* This stanza controls search results for various Splunk search commands
          
maxresultrows = <integer>
* Configures the maximum number of events that will be generated by search commands which 
grow the size of results (such as multikv) or that create events. Other search commands are explicitly 
controlled in specific stanzas below.
* Defaults to 50000. 
tocsv_maxretry = <integer>
* Maximum number of times to retry the atomic write operation.
* 1 = no retries.
* Defaults to 5.

tocsv_retryperiod_ms = <integer>
* Retry period.
* Defaults to 500.

[subsearch]
* This stanza controls subsearch results.

maxout = <integer>
* Maximum number of results to return from a subsearch.
* Defaults to 100.

maxtime = <integer>
* Maximum number of seconds to run a subsearch before finalizing
* Defaults to 60.

ttl = <integer>
* Time to cache a given subsearch's results.
* Defaults to 300.

[anomalousvalue]

maxresultrows = <integer>
* Configures the maximum number of events that can be present in memory at one time. 
* Defaults to searchresults::maxresultsrows (which is by default 50000).
	
maxvalues = <integer>
* Maximum number of distinct values for a field.
* Defaults to 100000.

maxvaluesize = <integer>
* Maximum size in bytes of any single value (truncated to this size if larger)
* Defaults to 1000.

[associate]

maxfields = <integer>
* Maximum number of fields to analyze.
* Defaults to 10000.

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 10000.

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.


[concurrency]
max_count = <integer>
* Maximum concurrency level to keep track of
* Defaults to 10000000


[ctable]
* This stanza controls the contingency, ctable, and counttable commands.

maxvalues = <integer>
* Maximum number of columns/rows to generate (the maximum number of distinct values for the row field 
and column field)
* Defaults to 1000.


[correlate]

maxfields = <integer>
* Maximum number of fields to correlate.
* Defaults to 1000.


[discretize]
* This stanza set attributes for bin/bucket/discretize.

maxbins = <integer> 
* Maximum number of buckets to discretize into.
* If maxbins is not specified or = 0, it defaults to searchresults::maxresultrows (which is by default 50000).

[inputcsv]
mkdir_max_retries = <integer>
* Maximum number of retries for creating a tmp directory (with random name as subdir of SPLUNK_HOME/var/run/splunk)
* Defaults to 100.


[join]
subsearch_maxout = <integer>
* Maximum result rows in output from subsearch that we join against
* Defaults to 50000

subsearch_maxtime = <integer>
* Maximum search time (in seconds) before auto-finalization of subsearch
* Defaults to 60 

subsearch_timeout = <integer>
* Maximum time to wait for subsearch to fully finish (in seconds)
* Defaults to 120

[kmeans]

maxdatapoints = <integer>
* Maximum data points to do kmeans clusterings for.
* Defaults to 100000000

maxkvalue = <integer>
* Maximum number of cluster to attempt to solve for
* Defaults to 1000

maxkrange = <integer>
* Maximum number of k values to iterate over when specifying a range
* Defaults to 100

[kv]

maxcols = <integer>
* When non-zero, the point at which kv should stop creating new fields.
* Defaults to 512.

limit    = <integer>
* maximum number of keys auto kv can generate
* Defaults to 50

maxchars = <integer>
* truncate _raw to to this size and then do auto KV
* Defaults to 10240

[lookup]

max_memtable_bytes = <integer> 
* maximum size of static lookup file to use a in-memory index for
* Defaults to 10000000

max_matches = <integer>
* maximum matches for a lookup
* Defaults to 1000

max_reverse_matches = <integer> 
* maximum reverse lookup matches (for search expansion)
* Defaults to 500

[metrics]

maxseries = <integer>
* The number of series to include in the per_x_thruput reports in metrics.log.
* Defaults to 10.

[rare]

maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults 100000.

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* defaults to 1000.

[restapi]

maxresultrows = <integer>
* Maximum result rows to be returned by /events or /results getters from REST API.
* Defaults to 50000.

[search]

ttl = <integer>
* How long searches should be stored on disk once completed, in seconds.
* Defaults to 600, which is equivalent to 10 minutes.

status_buckets = 0
* The approximate maximum number of timeline buckets to maintain.
* Defaults to 0.

max_count = <integer>
* The last accessible event in a call that takes a base and bounds.
* Defaults to 10000.

truncate_report = <bool>
* Apply the max_count limit to report output?
* Defaults to false

min_prefix_len = <integer>
* The minimum length of a prefix before a * to ask the index about.
* Defaults to 1.

max_results_raw_size = <integer>
* The largest "_raw" volume that should be read in memory.
* If the total volume of _raw fields (the text of the events) exceeds this value, no more results 
will be returned for the search.
* Defaults to 100000000, which is 100MB. 

cache_ttl = <integer>
* The length of time to persist search cache entries (in seconds).
* Defaults to 300.

reduce_freq = <integer>
* Attempt to reduce intermediate results every how many chunks (0 = never)
* Defaults to 10

dispatch_quota_retry = <integer>
* the maximum number of times to retry to dispatch a search when the quota has been reached
* Defaults to 4

dispatch_quota_sleep_ms = <integer>
* milliseconds between retrying to dispatch a search if a quota has been reached
* we retry the given number of times, with each successive wait 2x longer than the previous
* Defaults to 100

base_max_searches    = <int>
* a constant to add the maximum number of searches computed as a multiplier of the CPUs
* Defaults to 4

max_searches_per_cpu = <int>
* the maximum number of concurrent historical searches per CPU. The system-wide limit of 
historical searches 
* is computed as: max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* Note: the maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier 
x max_hist_searches
* Defaults to 4

max_rt_search_multiplier = <decimal number>
* a number by which the maximum number of historical searches is multiplied to determine the maximum
* number of concurrent real-time searches 
* Note: the maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier 
x max_hist_searches
* Defaults to 3

max_macro_depth = <int> 
* max recursion depth for macros
* considered a search exception if macro expansion doesn't stop after this many levels 
* must be >= 1, default is 100

realtime_buffer = <int>
* maximum number of accessible events to keep for real-time searches from the UI
* Acts as circular buffer once this limit is reached
* must be >= 1, default is 10000

stack_size = <int>
* the stack size (in bytes) of the thread executing the search
* defaults to 4194304  (4 MB)

status_cache_size = <int>
* the number of search job status data splunkd can cache in RAM. This cache improves
* performance of the jobs endpoint
* defaults to 2000

timeline_freq = <timespan> or <ratio> 
* Minimum amount of time between timeline commits
* If specified as a number < 1 (and > 0), minimum time between commits is computed as a ratio of 
the amount of time that the search has been running
* defaults to 0 seconds

preview_freq = <timespan> or <ratio>
* Minimum amount of time between results preview updates
* If specified as a number < 1 (and > 0), minimum time between preview is computed as a ratio of the 
amount of time that the search has been running, or as a ratio of the length of the time window for 
real-time windowed searches.
* defaults to ratio of 0.05

max_combiner_memevents = <int>
* maximum size of in-memory buffer for search results combiner, in terms of number of events
* defaults to 50000

replication_period_sec  = <int>
* the minimum amount of time in seconds between two successive configuration file replications
* defaults to 60

sync_bundle_replication = <bool>
* flag indicating whether configurtion file replication blocks searches or is run asynchronously 
* NOTE: setting this flag to false could cause searches to run with out-of-sync configuration files
on different search peers
* defaults to true  

multi_threaded_setup = <bool>
* flag indicating whether to use multiple threads when setting up distributed search to multiple peers
* defaults to false

rr_min_sleep_ms = <int>
* minimum time to sleep when reading results in round-robin mode when no data is available
* defaults to 10

rr_max_sleep_ms = <int>
* maximum time to sleep when reading results in round-robin mode when no data is available
* defaults to 1000

rr_sleep_factor = <int>
* if no data is available even after sleeping, increase the next sleep interval by this factor
* defaults to 2

[realtime] 
# default options for indexer support of real-time searches
# these can all be overriden for a single search via REST API arguments
queue_size = <int>
* size of queue for each real-time search (must be >0)
* default is 10000

blocking = <bool> 
* should indexer block if a queue is full?
* defaults is false

max_blocking_secs = <int>
* maximum time to block if the queue is full (meaningless if blocking = false)
* default = 60 
* 0 means no limit

indexfilter = <bool>
* should the indexer prefilter events for efficiency?
* default is true

[slc]

maxclusters = <integer>
* Maximum number of clusters to create.
* Defaults to 10000.

[stats|sistats]

maxresultrows = <integer>
* Maximum number of result rows to create. 
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 100000 for stats and 1000 for sistats

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000 for stats and 200 for sistats

# rdigest is a data structure used to compute approximate order statistics (such as median and percentiles) 
using sublinear space
rdigest_k = <integer>
* rdigest compression factor
* lower k = more compression
* after compression, number of nodes guaranteed to be <= 11*k
* default = 100, must be >=2

rdigest_maxnodes = <integer>
* maximum rdigest nodes before automatic compression is triggered
* default = 1, meaning automatically configure based on k value

[thruput]

maxKBps = <integer>
* If specified and not zero, this limits the speed through the thruput processor to the specified rate in 
kilobytes per second.

[top]

maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).

maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults to 100000.

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.

[transactions]

maxopentxn    = <integer>
* maximum number of open transaction or events in open
* Defaults to 5000

maxopenevents = <integer>
* transaction before transaction eviction happens
* Defaults to 100000

[inputproc]

max_fd = <integer>
* Maximum number of file descriptors that Splunk will keep open, to capture any trailing data from 
files that are written to very slowly.
* Defaults to 100

time_before_close = <integer>
* MOVED.  This setting is now configured per-input in inputs.conf.
* Specifying this setting in limits.conf is DEPRECATED, but for now will override the setting for 
all monitor inputs.

tailing_proc_speed = <integer>
* REMOVED.  This setting is no longer used.

[scheduler]
max_searches_perc = <integer>
* the maximum number of searches the scheduler can run, as a percentage
* of the maximum number of concurrent searches, see [search] max_searches_per_cpu
* for how to set the system wide maximum number of searches
* Defaults to 25

max_action_results = <integer>
* the maximum number of results to load when triggering an alert action
* Defaults to 10000

action_execution_threads = <integer>
* number of threads to use to execute alert actions, change this number if your alert actions 
* take a long time to execute. This number is capped at 10
* Defaults to 2

actions_queue_size = <integer>
* the number of alert notifications to queue before the scheduler starts blocking, set to 0 for 
infinite size
* Defaults to 20


[show_source]
max_count = <integer>
* maximum number of events accessible by show_source.  show source will fail when more than this many 
events are in the same second as the requested event
* Defaults to 10000

max_timebefore = <timespan>
* Maximum time before requested event to show
* Defaults to '1day' (86400 seconds)

max_timeafter = <timespan>
* Maximum time after requested event to show
* Defaults to '1day' (86400 seconds)


[typeahead]
maxcount = <integer>
* Maximum number of typeahead results to find
* Defaults to 1000

use_cache = <bool>
* Specifies whether the typeahead cache will be used if use_cache is not specified in the command line 
or endpoint
* Defaults to true

fetch_multiplier = <integer>
* A multiplying factor that determines the number of terms to fetch from the index, 
fetch = fetch_multiplier x count
* Defaults to 50

cache_ttl_sec = <integer>
* The period, in seconds, for how long the typeahead cached results are valid
* Defaults to 300


min_prefix_length = <integer>
* The minimum string prefix for which to provide typeahead 
* Defaults to 1


[typer]
maxlen = <int>
* in eventtyping, pay attention to first N characters of any attribute (such as _raw), including individual 
tokens. Can be overridden by supplying the typer operator with the argument maxlen (for example, "|typer maxlen=300").
* defaults to 10000

limits.conf.example

# Copyright (C) 2005-2010 Splunk Inc.  All Rights Reserved.  Version 4.1.5 
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing. 
# Improperly configured limits may result in splunkd crashes and/or memory overuse.


[searchresults]
maxresultrows = 50000
# maximum number of times to try in the atomic write operation (1 = no retries)
tocsv_maxretry = 5
# retry period is 1/2 second (500 milliseconds)
tocsv_retryperiod_ms = 500

[subsearch]
# maximum number of results to return from a subsearch
maxout = 100
# maximum number of seconds to run a subsearch before finalizing
maxtime = 10
# maximum time to wait for an already running subsearch
timeout = 30
# time to cache a given subsearch's results
ttl = 300

[anomalousvalue]
maxresultrows = 50000
# maximum number of distinct values for a field
maxvalues = 100000
# maximum size in bytes of any single value (truncated to this size if larger)
maxvaluesize = 1000

[associate]
maxfields = 10000
maxvalues = 10000
maxvaluesize = 1000

# for the contingency, ctable, and counttable commands
[ctable]
maxvalues = 1000

[correlate]
maxfields = 1000

# for bin/bucket/discretize
[discretize]
maxbins = 50000 
# if maxbins not specified or = 0, defaults to searchresults::maxresultrows

[inputcsv]
# maximum number of retries for creating a tmp directory (with random name in SPLUNK_HOME/var/run/splunk)
mkdir_max_retries = 100

[kmeans]
maxdatapoints = 100000000

[kv]
# when non-zero, the point at which kv should stop creating new columns
maxcols = 512

[rare]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000

[restapi]
# maximum result rows to be return by /events or /results getters from REST API  
maxresultrows = 50000

[search]
# how long searches should be stored on disk once completed
ttl = 86400

# the approximate maximum number of timeline buckets to maintain
status_buckets = 300

# the last accessible event in a call that takes a base and bounds
max_count = 10000

# the minimum length of a prefix before a * to ask the index about
min_prefix_len = 1

# the largest "_raw" volume that should be read in memory
max_results_raw_size = 100000000

# the length of time to persist search cache entries (in seconds)
cache_ttl = 300

[slc]
# maximum number of clusters to create
maxclusters = 10000

[stats]
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 1000

[top]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000

• Was this topic useful?
• Post a comment