Splunk® Enterprise

Admin Manual

limits.conf

The following are the spec and example files for limits.conf.

limits.conf.spec

#   Version 9.4.0
#

OVERVIEW


# This file contains descriptions of the settings that you can use to
# configure limitations for the search commands.
#
# Each stanza controls different search commands settings.
#
# There is a limits.conf file in the $SPLUNK_HOME/etc/system/default/ directory.
# Never change or copy the configuration files in the default directory.
# The files in the default directory must remain intact and in their original
# location.
#
# To set custom configurations, create a new file with the name limits.conf in
# the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings
# that you want to customize to the local configuration file.
# For examples, see limits.conf.example. You must restart the Splunk instance
# to enable configuration changes.
#
# To learn more about configuration files (including file precedence) see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
#
# About Distributed Search
#   Unlike most settings which affect searches, limits.conf settings are not
#   provided by the search head to be used by the search peers.  This means
#   that if you need to alter search-affecting limits in a distributed
#   environment, typically you will need to modify these settings on the
#   relevant peers and search head for consistent results.
#

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#   * You can also define global settings outside of any stanza, at the top of
#     the file.
#   * Each .conf file should have at most one default stanza. If there are
#     multiple default stanzas, settings are combined. In the case of
#     multiple definitions of the same setting, the last definition in the
#     file takes precedence.
#   * If a setting is defined at both the global level and in a specific
#     stanza, the value in the specific stanza takes precedence.
#
# CAUTION: Do not alter the settings in the limits.conf file unless you know
#     what you are doing. Improperly configured limits might result in
#     splunkd crashes, memory overuse, or both.

[default]

DelayArchiveProcessorShutdown = <boolean>
* Specifies whether during splunk shutdown archive processor should finish
  processing archive file under process.
* When set to "false": The archive processor abandons further processing of
  the archive file and will process again from start again.
* When set to "true": The archive processor will complete processing of
  the archive file. Shutdown will be delayed.
* Default: false

maxArchiveNestLevel = <non-negative integer>
* Specifies the maximum number of nested levels for an archive file for processing.
* If an archive file exceeds the maximum specified nested level, Splunk software ignores the archive file.
* Maximum value: 10
* Default: 4

max_mem_usage_mb = <non-negative integer>
* The maximum amount of RAM, in megabytes (MB), that a batch of
  events or results can use in the memory of a search process.
* Operates on an estimation of memory use which is not exact. The estimation can
  deviate by an order of magnitude or so to both the smaller and larger sides.
* The search processor applies the limitation in an unusual way. If the number
  of results or events exceeds 'maxresultrows', AND the estimated memory 
  exceeds this limit, the data is spilled to disk.
* This means, as a general rule, lower limits will cause a search to use more
  disk I/O and less RAM, and be somewhat slower, but should cause the same
  results to typically come out of the search in the end.
* This limit is applied currently to a number, but not all search processors.
  However, more will likely be added as it proves necessary.
* The number is thus effectively a ceiling on batch size for many components of
  search for all searches run on this system.
* Some search processors might truncate results if they can't process the 
  results within the 'max_mem_usage_mb' limit. The search head displays a warning
  if this occurs.
* A value of "0" means that there is no limit to the amount of memory that
  a search process can use for events or results. Searches might be
  allowed to grow to arbitrary sizes.
* NOTE:
  * The mvexpand command uses the 'max_mem_usage_mb' value in a different way.
    * The mvexpand command has no combined logic with 'maxresultrows'.
    * If the memory limit is exceeded, output is truncated, not spilled to disk.
  * The 'stats' and 'sdselect' command processors use the 'max_mem_usage_mb'
    value in the following way.
    * If the estimated memory usage exceeds the specified limit, the results 
      are cached to the disk. This means that when a large volume of data 
      exceeds the 'max_mem_usage_mb' setting, the search processor doesn't 
      store all the data in memory. Instead, the search processor puts some 
      data into temporary data files on disk, so that it can do further  
      processing on that data later as needed.
    * If 0 is specified, the results are cached to the disk when the number of
      results exceeds the 'maxresultrows' setting.
  * The eventstats command processor uses the 'max_mem_usage_mb' value in the
    following way.
    * Both the 'max_mem_usage_mb' and the 'maxresultrows' settings are used to
      determine the maximum number of results to return.  If the limit for one
      setting is reached, the eventstats processor continues to return results
      until the limit for the other setting is reached. When both limits are
      reached, the eventstats command processor stops adding the requested
      fields to the search results.
    * If you set 'max_mem_usage_mb' to 0, the eventstats command processor uses
      only the 'maxresultrows' setting as the threshold. When the number of
      results exceeds the 'maxresultrows' setting, the eventstats command
      processor stops adding the requested fields to the search results.
* Default: 200

min_batch_size_bytes = <integer>
* Specifies the size, in bytes, of the file/tar after which the
  file is handled by the batch reader instead of the trailing processor.
* Global setting, cannot be configured per input.
* NOTE: Configuring this to a very small value could lead to backing up of jobs
  at the tailing processor.
* Default: 20971520

regex_cpu_profiling = <boolean>
* Enable CPU time metrics for RegexProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu,
  per_sourcetype_regex_cpu, per_index_regex_cpu.
* Default: true

agg_cpu_profiling = <boolean>
* Enable CPU time metrics for AggregatorProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_agg_cpu, per_source_agg_cpu,
  per_sourcetype_agg_cpu, per_index_agg_cpu.
* Default: true

msp_cpu_profiling = <boolean>
* Enable CPU time metrics for MetricSchemaProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_msp_cpu, per_source_msp_cpu,
  per_sourcetype_msp_cpu, per_index_msp_cpu.
* Default: true

mp_cpu_profiling = <boolean>
* Enable CPU time metrics for MetricsProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_mp_cpu, per_source_mp_cpu,
  per_sourcetype_mp_cpu, per_index_mp_cpu.
* Default: true

lb_cpu_profiling = <boolean>
* Enable CPU time metrics for LineBreakingProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_lb_cpu, per_source_lb_cpu,
  per_sourcetype_lb_cpu, per_index_lb_cpu.
* Default: true

clb_cpu_profiling = <boolean>
* Enable CPU time metrics for ChunkedLBProcessor. Output will be in the
  metrics.log file.
  Entries in metrics.log will appear per_host_clb_cpu, per_source_clb_cpu,
  per_sourcetype_clb_cpu, per_index_clb_cpu.
* Default: false

file_and_directory_eliminator_reaper_interval = <integer>
* Specifies how often, in seconds, to run the FileAndDirectoryEliminator reaping
  process.
* The FileAndDirectoryEliminator eliminates files and directories by moving them
  to a location that is reaped periodically. This reduces the chance of
  encountering issues due to files being in use.
* On Windows, the FileAndDirectoryEliminator is used by the deployment client
  to delete apps that have been removed or that are being redeployed.
* A value of 0 disables the FileAndDirectoryEliminator.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default (on Windows): 60
* Default (otherwise): 0

interval = <integer>
* Number of seconds between logging splunkd metrics to metrics.log
  for different subgroups.
* Check metrics.log for the list of configurable "metrics_modules".
* Set "interval" under the desired "metrics_module" stanza.
* Example:
  * If you want 60 seconds metrics logging interval for "thruput:thruput",
    * [thruput:thruput]
    * interval = 60
* Minimum value is 10 seconds.
* Valid value is multiple of 10.
* If value is not exact multiple of 10, it will be adjusted to nearest
  downward multiple.
* Recommended value multiple of 30. Splunk will decide how often to check for
  metrics reporting based on greatest common divisor across different values.
  If "interval" is set 30, 40 for two different components, then
  greatest common divisor for 30, 40 and 60(default) is 10. It's expensive
  for metrics reporting thread to log every 10 sec.
  If "interval" is set 30, 900 for two different components, then
  greatest common divisor for 30, 90 and 60(default) is 30. It's less
  expensive for metrics reporting thread to log every 30 sec.
* Default : "interval" config value set under [metrics] stanza.

[email]

* This stanza controls email settings that are enforced in the sendemail alert
  action.
result_limit = <unsigned integer>
* Limits the number of inline search results that Splunk software can send in 
  a 'sendemail' alert email. 
* Raising this setting to a higher value might result in increased splunkd 
  memory usage.
* This setting takes precdence over the 'maxinputs' setting in commands.conf.
* NOTE: Change this setting only under the direction of Splunk Support.
* Default: 10000

[searchresults]

* This stanza controls search results for a variety of Splunk search commands.

compression_level = <integer>
* Compression level to use when writing search results to .csv.gz files.
* Default: 1

maxresultrows = <integer>
* Configures the maximum number of events generated by search commands
  which grow the size of your result set (such as multikv) or that create
  events. Other search commands are explicitly controlled in specific stanzas
  that follow.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 50000

tocsv_maxretry = <integer>
* Maximum number of times to retry the atomic write operation.
* When set to "1": Specifies that there will be no retries.
* Default: 5

tocsv_retryperiod_ms = <integer>
* Period of time to wait before each retry.
* Default: 500

* These setting control logging of error messages to the info.csv file.
  All messages will be logged to the search.log file regardless of
  these settings.

[search_info]

* This stanza controls logging of messages to the info.csv file.
* Messages logged to the info.csv file are available to REST API clients
  and Splunk Web. Limiting the messages added to info.csv will mean
  that these messages will not be available in the UI and/or the REST API.

filteredindexes_log_level = [DEBUG|INFO|WARN|ERROR]
* Log level of messages when search returns no results because
  user has no permissions to search on queried indexes.
* Default: DEBUG

infocsv_log_level = [DEBUG|INFO|WARN|ERROR]
* Limits the messages which are added to the info.csv file to the stated
  level and above.
* For example, if "infocsv_log_level" is WARN, messages of type WARN
  and higher will be added to the info.csv file.
* Default: INFO

max_infocsv_messages  = <positive integer>
* Limits the number of messages which are added to the info.csv file,
  per log level.
* If more than max_infocsv_messages log entries are generated, additional
  entries will not be logged in the info.csv file. All entries will still be
  logged in the search.log file.
* Default: 20

show_warn_on_filtered_indexes = <boolean>
* Log warnings if search returns no results because user has
  no permissions to search on queried indexes.
* Default: false

[subsearch]

* This stanza controls subsearch results.
* Read more about subsearches in the online documentation:
  http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches


maxout = <integer>
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Default: 10000

maxtime = <integer>
* Maximum number of seconds to run a subsearch before finalizing
* Default: 60

ttl = <integer>
* The time to live (ttl), in seconds, of the cache for the results of a given
  subsearch.
* Do not set this below 120 seconds.
* See the definition in the [search] stanza under the "TTL" section for more
  details on how the ttl is computed.
* Default: 300 (5 minutes)

subsearch_artifacts_delete_policy = [immediate|ttl]
* How subsearch artifacts are deleted after a sub search completes.
* Set to `immediate` to have subsearch artifacts remove immediately after a
  subsearch completes.
* Set to 'ttl' to have subsearch artifacts delete after the time-to-live of
  the subsearch has been reached.
* For example, you could use '|noop subsearch_artifacts_delete_policy = [immediate|ttl]'
  to overwrite the setting for a particular search.
* Default: ttl

SEARCH COMMAND


# This section contains the limitation settings for the search command.
# The settings are organized by type of setting.

[search]

# The settings under the [search] stanza are organized by type of setting.

Batch search

# This section contains settings for batch search.

allow_batch_mode = <boolean>
* Specifies whether or not to allow the use of batch mode which searches
  in disk based batches in a time insensitive manner.
* In distributed search environments, this setting is used on the search head.
* Default: true

batch_search_max_index_values = <integer>
* When using batch mode, this limits the number of event entries read from the
  index file. These entries are small, approximately 72 bytes. However batch
  mode is more efficient when it can read more entries at one time.
* Setting this value to a smaller number can lead to slower search performance.
* A balance needs to be struck between more efficient searching in batch mode
* and running out of memory on the system with concurrently running searches.
* Default: 10000000

batch_search_max_pipeline = <integer>
* This setting controls the number of search pipelines that are launched on the
  indexer during batch search.
* Increasing the number of search pipelines can improve search performance.
  However, this can also result in increased thread and memory usage.
* This setting applies only to searches that run on remote indexers.
* The value for this setting should be >=1. When this setting is >1 on the
  search head, the setting is applied to all remote indexers. Otherwise, remote
  indexers use their local 'batch_search_max_pipeline' setting.
* You can override this setting on a per-search basis by appending
  '|noop batch_search_max_pipeline=<integer>' to the search string. The
  <integer> should be >1.
* Default: 1

batch_search_max_results_aggregator_queue_size = <integer>
* Controls the size, in bytes, of the search results queue to which all
  the search pipelines dump the processed search results.
* Increasing the size can lead to search performance gains.
  Decreasing the size can reduce search performance.
* Do not specify zero for this setting.
* Default: 100000000

batch_search_max_serialized_results_queue_size = <integer>
* Controls the size, in bytes, of the serialized results queue from which
  the serialized search results are transmitted.
* Increasing the size can lead to search performance gains.
  Decreasing the size can reduce search performance.
* Do not specify zero for this setting.
* Default: 100000000

NOTE: The following batch search settings control the periodicity of retries
      to search peers in the event of failure (Connection errors, and others).
      The interval exists between failure and first retry, as well as
      successive retries in the event of further failures.

batch_retry_min_interval = <integer>
* When batch mode attempts to retry the search on a peer that failed,
  specifies the minimum time, in seconds, to wait to retry the search.
* Default: 5

batch_retry_max_interval = <integer>
* When batch mode attempts to retry the search on a peer that failed,
  specifies the maximum time, in seconds, to wait to retry the search.
* Default: 300 (5 minutes)

batch_retry_scaling = <double>
* After a batch retry attempt fails, uses this scaling factor to increase
  the time to wait before trying the search again.
* The value should be > 1.0.
* Default: 1.5

Bundles

# This section contains settings for bundles and bundle replication.

load_remote_bundles = <boolean>
* On a search peer, allow remote (search head) bundles to be loaded in splunkd.
* Default: false.

replication_file_ttl = <integer>
* The time to live (ttl), in seconds, of bundle replication tarballs,
  for example: *.bundle files.
* Default: 600 (10 minutes)

replication_period_sec  = <integer>
* The minimum amount of time, in seconds, between two successive bundle
  replications.
* Default: 60

sync_bundle_replication = [0|1|auto]
* Indicates whether configuration file replication blocks
  searches or is run asynchronously.
* When set to "auto": The Splunk software uses asynchronous
  replication only if all of the peers support asynchronous bundle
  replication.
  Otherwise synchronous replication is used.
* Default: auto

bundle_status_expiry_time = <interval>
* The amount of time the search head waits before purging the status of a knowledge bundle
  push request to the indexer.
* The status is purged either when it is not queried for a period greater than
  this setting or when its associated bundle is deleted by the reaper.
* The interval can be specified as a string for minutes, seconds, hours, days.
  For example; 60s, 1m, 1h, 1d etc.
* Default: 1h

Concurrency

# This section contains settings for search concurrency limits.

total_search_concurrency_limit = auto | <integer>
* Specifies the maximum search concurrency limit for a search head cluster
  or standalone search head.
* When set to "auto", the search head cluster or standalone search head 
  calculates the historical search concurrency limit using 
  max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches.
* The real-time search concurrency limit is calculated based on the historical search 
  concurrency limit.
* When set to an integer, the setting specifies the maximum search concurrency limit.
  For a search head cluster, the number specifies the maximum search limit across
  the cluster. For a standalone search head, the number specifies the maximum
  search limit for the search head. The value must be in the range of 1 to 8192.
* Default: auto

base_max_searches = <integer>
* A constant to add to the maximum number of searches, computed as a
  multiplier of the CPUs.
* Default: 6

max_rt_search_multiplier = <decimal number>
* A number by which the maximum number of historical searches is multiplied
  to determine the maximum number of concurrent real-time searches.
* NOTE: The maximum number of real-time searches is computed as:
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Default: 1

max_searches_per_cpu = <integer>
* The maximum number of concurrent historical searches for each CPU.
  The system-wide limit of historical searches is computed as:
  max_hist_searches =  max_searches_per_cpu x number_of_cpus + base_max_searches
* NOTE: The maximum number of real-time searches is computed as:
  max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Default: 1

shc_adhoc_quota_enforcement = on | off | overflow
* Determines the way in which the cluster enforces limits on the number of concurrent searches.
  Since concurrent searches include both scheduled and ad hoc searches, this setting effectively
  determines the  enforcement method for admitting new ad hoc searches.
* "on" means the ad hoc search admission process is managed cluster-wide by the captain.
* "off" means the ad hoc search admission process is managed locally, by each
   search head that receives an ad hoc search request.
* "overflow" means the local search head checks its local capacity first
  when admitting an ad hoc search. If the search head has capacity (that is,
  if the search head is below the local limit on number of concurrent searches),
  it runs the search locally. If the search head has reached its limit on concurrent
  searches, it defers to the captain for permission to run the search. The captain will
  check which search head has the capacity, and tell the local search head to proxy the search
  to the remote search head to run it.
* NOTE: Setting it to "on" or "overflow" lets a user run more ad hoc searches
        than individual cluster member concurrency limits allow. While this
        can help a user/role with heavier ad hoc search requirements, it can lead
        to under-counting of the cluster-wide ad hoc search numbers and cause
        the ad hoc search count to exceed cluster-wide quota limits. Do not
        change this setting without consulting Splunk Support.
* Default: off

Distributed search

# This section contains settings for distributed search connection
# information.

addpeer_skew_limit = <positive integer>
* Absolute value of the largest time skew, in seconds, that is allowed when
  configuring a search peer from a search head, independent of time.
* If the difference in time (skew) between the search head and the peer is
  greater than "addpeer_skew_limit", the search peer is not added.
* This is only relevant to manually added peers. This setting has no effect
  on index cluster search peers.
* Default: 600 (10 minutes)

fetch_remote_search_log = [enabled|disabledSavedSearches|disabled]
* When set to "enabled": All remote search logs are downloaded barring
  the oneshot search.
* When set to "disabledSavedSearches": Downloads all remote logs other
  than saved search logs and oneshot search logs.
* When set to "disabled": Irrespective of the search type, all remote
  search log download functionality is disabled.
* NOTE:
  * The previous Boolean values:[true|false] are still
    supported, but are not recommended.
  * The previous value of "true" maps to the current value of "enabled".
  * The previous value of "false" maps to the current value of "disabled".
* You can override this setting on a per-search basis by appending
  '|noop remote_log_fetch=[*|<indexer1;indexer2...>]' to the search string, 
  where <indexer1;indexer2...> is a list of indexers that contain the remote 
  search logs that you want to collect. 
* Default: disabledSavedSearches

max_chunk_queue_size = <integer>
* The maximum size of the chunk queue.
* default: 10000000

max_combiner_memevents = <integer>
* Maximum size of the in-memory buffer for the search results combiner.
  The <integer> is the number of events.
* Default: 50000

max_tolerable_skew = <positive integer>
* Absolute value of the largest time skew, in seconds, that is tolerated
  between the native clock on the search head and the native clock on the peer
  (independent of time zone).
* If this time skew is exceeded, a warning is logged. This estimate is
  approximate and tries to account for network delays.
* Default: 60

max_workers_searchparser = <integer>
* The number of worker threads in processing search result when using round
  robin policy.
* default: 5

results_queue_min_size = <integer>
* The minimum size, of search result chunks, that will be kept from peers
  for processing on the search head before throttling the rate that data
  is accepted.
* The minimum queue size in chunks is the "results_queue_min_size" value
  and the number of peers providing results, which ever is greater.
* Default: 10

result_queue_max_size = <integer>
* The maximum size, in bytes, that will be kept from peers for processing on
  the search head before throttling the rate that data is accepted.
* The "results_queue_min_size" value takes precedence. The number of search
  results chunks specified by "results_queue_min_size" will always be
  retained in the queue even if the combined size in MB exceeds the
  "result_queue_max_size" value.
* Default: 100

results_queue_read_timeout_sec = <integer>
* The amount of time, in seconds, to wait when the search executing on the
  search head has not received new results from any of the peers.
* Cannot be less than the 'receiveTimeout' setting in the distsearch.conf
  file.
* Default: 900

batch_wait_after_end = <integer>
* DEPRECATED: Use the 'results_queue_read_timeout_sec' setting instead.

remote_search_requests_throttling_type = disabled | per_cpu | physical_ram
* Sets the way remote searches are throttled on remote peers. Search request 
  that is throttled is rejected with 429 HTTP code.
* "disabled" simply disables any throttling.
* "per_cpu" sets the throttling based on available CPU number.
* "physical_ram" sets the throttling based on available system memory.
* Multiple, comma-separated, throttling types can be set. For example:
  'remote_search_requests_throttling_type = per_cpu, physical_ram'
  enables both "per_cpu" and "physical_ram".
* Does not apply to real-time searches.
* Do not use this feature in conjunction with workload management.
* Default: disabled

throttle_peer_busy_wait = <integer>[s|m]
* Controls how long the search head waits before it launches new searches after
  receiving a peer busy response from a search peer notifying the search head 
  that it has submitted too many search requests.
* This setting has no effect if the 'remote_search_requests_throttling_type'
  setting is disabled on all search peers because the search peers can't send 
  peer busy (429) responses.
* Specify the interval as a string with minutes or seconds.
  For example: 60s, 1m, etc.
* Default: 1m

remote_search_requests_send_capabilities_list = <boolean>
* When turned on, the search head sends the list of all capabilities of the
  user running the search to every search peer participating in the search.
* This makes it possible to uniformly enforce user-level role-based access 
  control (RBAC).
* Default: false

remote_search_requests_reject_if_capabilities_list_absent = <boolean>
* When turned on for a search peer, the search peer rejects search requests that
  do not also specify the full capability list for the user running the search.
* The search head sends the full capability list for users running the
  search when 'send_capabilities_list_to_indexer' is set to true.
* Turn this on only if all search heads have already set
  'send_capabilities_list_to_indexers' to true.
* Default: false

Field stats

# This section contains settings for field statistics.

fieldstats_update_freq = <number>
* How often to update the field summary statistics, as a ratio to the elapsed
  run time so far.
* Smaller values means update more frequently.
* When set to "0": Specifies to update as frequently as possible.
* Default: 0

fieldstats_update_maxperiod = <number>
* The maximum period, in seconds, for updating field summary statistics.
* When set to "0": Specifies that there is not maximum period. The period
  is dictated by the calculation:
  current_run_time x fieldstats_update_freq
* Fractional seconds are allowed.
* Default: 60

min_freq = <number>
* Minimum frequency of a field that is required for the field to be included
  in the /summary endpoint.
* The frequency must be a fraction >=0 and <=1.
* Default: 0.01 (1%)

History

# This section contains settings for search history.

enable_history = <boolean>
* Specifies whether to keep a history of the searches that are run.
* Default: true

max_history_length = <integer>
* Maximum number of searches to store in history for each user and application.
* When 'search_history_storage_mode' has a value of "kvstore", this value is 
  applicable per user only, and not per user and application combination.
* Default: 500

max_history_storage_retention_time = <integer>[s|m|h|d]
* The maximum time to store search history records for each user and
  application.
* This setting and the 'max_history_length' setting determine how many search
  history records appear in persistent storage.
* Search stops storing search history records when either the retention time or
  the number of search history records exceeds the values you configure with
  these settings.
* A value of 0 means that search only uses 'max_history_length' to retain
  search history to persistent storage.
* The time units you can specify for this setting are: 
  s, sec, second, secs, seconds, m, min, minute, mins, minutes,
  h, hr, hour, hrs, hours, d, day, days.
* This setting is only applicable when 'search_history_storage_mode' has
  a value of "kvstore".
* Default: 90d

search_history_storage_mode = <string>
* The storage mode by which a search head cluster saves search history.
* Valid storage modes include "csv" and "kvstore".
* This setting is valid only when the 'enable_history' setting has a value of "true".
* A value of "kvstore" means that the cluster can replicate search history across
  all its members using the App Key Value Store service.
* A value of "csv" means that search history is saved to CSV files only on the
  local search head.
* When you initially give this setting a value of "kvstore", the search head
  migrates the existing search history records, if they are present in existing
  CSV files, into the App Key Value Store service. This migration of search
  history can only happen once. If you later change the storage mode to "csv",
  then back to "kvstore", subsequent migrations do not occur.
* NOTE: In the "kvstore" storage mode, the 'max_history_length' is the maximum
  number of searches that the SHC can store for each user. In this case, the
  maximum acceptable value of 'max_history_length' cannot exceed 1000.
* Default: csv

Memory tracker

# This section contains settings for the memory tracker.

enable_memory_tracker = <boolean>
* Specifies if the memory tracker is enabled.
* When set to "false" (disabled): The search is not terminated even if
  the search exceeds the memory limit.
* When set to "true": Enables the memory tracker.
* Must be set to "true" to enable the "search_process_memory_usage_threshold"
  setting or the "search_process_memory_usage_percentage_threshold" setting.
* Default: false

search_process_memory_usage_threshold = <double>
* To use this setting, the "enable_memory_tracker" setting must be set
  to "true".
* Specifies the maximum memory, in MB, that the search process can consume
  in RAM.
* Search processes that violate the threshold are terminated.
* If the value is set to 0, then search processes are allowed to grow
  unbounded in terms of in memory usage.
* Default: 4000 (4GB)

search_process_memory_usage_percentage_threshold = <decimal>
* To use this setting, the 'enable_memory_tracker' setting must be set
  to "true".
* Specifies the percent of the total memory that the search process is
  entitled to consume.
* Search processes that violate the threshold percentage are terminated.
* If the value is set to zero, then splunk search processes are allowed to
  grow unbounded in terms of percentage memory usage.
* Any setting larger than 100 or less than 0 is discarded and the default
  value is used.
* Default: 25%

Meta search

# This section contains settings for meta search.

allow_inexact_metasearch = <boolean>
* Specifies if a metasearch that is inexact be allowed.
* When set to "true": An INFO message is added to the inexact metasearches.
* When set to "false": A fatal exception occurs at search parsing time.
* Default: false

indexed_as_exact_metasearch = <boolean>
* Specifies if a metasearch can process <field>=<value> the same as
  <field>::<value>, if <field> is an indexed field.
* When set to "true": Allows a larger set of metasearches when the
  'allow_inexact_metasearch' setting is "false". However, some of the
  metasearches might be inconsistent with the results of doing a normal
  search.
* Default: false

Misc

# This section contains miscellaneous search settings.



async_quota_update = <boolean>
* When set to 'true', this setting enables a thread that periodically checks 
  the disk quota cache for searches. 
  * Because it moves disk quota checking to an async function, this setting 
    improves search performance.
  * However, this thread can cause the number of in-process searches to 
    slightly exceed concurrent search quotas.
* Set this setting to 'false' if you require strict maintenance of user disk 
  quotas.
* Default: false

async_quota_update_freq = <number>
* The frequency, in seconds, at which the disk quota cache for searches is 
  updated.
* Applies only when 'async_quota_update=true'.
* Default: 30

use_removable_search_cache = <boolean>
* Determines if the /saved/searches handler will use a cache that
  lets it emit <removable> tags on a list call.
* This slightly changes the appearance of the delete option
  on saved search knowledge objects in Splunk Web, but results
  in a performance boost.

disk_usage_update_period = <number>
* Specifies how frequently, in seconds, should the search process estimate the
  artifact disk usage.
* The quota for the amount of disk space that a search job can use is
  controlled by the 'srchDiskQuota' setting in the authorize.conf file.
* Exceeding this quota causes the search to be auto-finalized immediately,
  even if there are results that have not yet been returned.
* Fractional seconds are allowed.
* Default: 10

dispatch_dir_warning_size = <integer>
* Specifies the number of jobs in the dispatch directory that triggers when
  to issue a bulletin message. The message warns that performance might
  be impacted.
* Default: 5000

do_not_use_summaries = <boolean>
* Do not use this setting without working in tandem with Splunk support.
* This setting is a very narrow subset of 'summary_mode=none'.
* When set to "true": Disables some functionality that is necessary for
  report acceleration.
  * In particular, when set to "true", search processes will no longer query
    the main splunkd's /admin/summarization endpoint for report acceleration
     summary IDs.
* In certain narrow use-cases this might improve performance if report
  acceleration (savedsearches.conf:auto_summarize) is not in use, by lowering
  the main splunkd's process overhead.
* Default: false

enable_createrss_command = <boolean>
* Enables the deprecated 'createrss' search command. Enabling 'createrss'
  does not affect the behavior of the 'rss' alert action.
* This deprecated command is now disabled by default.
* default: false

enable_datamodel_meval = <boolean>
* Enable concatenation of successively occurring evals into a single
  comma-separated eval during the generation of datamodel searches.
* default: true

enable_file_command = <boolean>
* DEPRECATED. This setting has been deprecated and has no effect.

enable_conditional_expansion = <boolean>
* Determines whether or not scoped conditional expansion of knowledge
* objects occurs during search string expansion. This only applies on
* the search head.
* NOTE: Do not change unless instructed to do so by Splunk Support.
* Default: true

force_saved_search_dispatch_as_user = <boolean>
* Specifies whether to overwrite the "dispatchAs" value.
* When set to "true": The "dispatchAs" value is overwritten by "user"
  regardless of the [user|owner] value in the savedsearches.conf file.
* When set to "false": The value in the savedsearches.conf file is used.
* You might want to set this to "true" to effectively disable
  "dispatchAs = owner" for the entire install, if that more closely aligns
  with security goals.
* Default: false

get_summary_id_connection_timeout = <integer>
* The connection timeout, in seconds, for a search to check for
  available summaries using the admin/summarization REST endpoint.
* This setting does not apply if 'do_not_use_summaries' is "true", or
  if 'summary_mode' is set to "none".
* Default: 5

get_summary_id_rcv_timeout = <integer>
* The timeout, in seconds, for a search to receive data from the
  admin/summarization REST endpoint when checking for available summaries.
* This setting does not apply if 'do_not_use_summaries' is "true", or
  if 'summary_mode' is set to "none".
* Default: 5

get_summary_id_send_timeout = <integer>
* The timeout, in seconds, for a search to send a query to the
  admin/summarization REST endpoint when checking for available
  summaries.
* This setting does not apply if 'do_not_use_summaries' is "true", or
  if 'summary_mode' is set to "none".
* Default: 5

max_id_length = <integer>
* Maximum length of the custom search job ID when spawned by using
  REST API argument "id".
* Default: 150

max_id_length_before_hash = <integer>
* Specifies the maximum length of a generated or custom search job ID before
  the Splunk software shortens the directory name. The search job ID itself
  remains the same.
* If set to 0, the Splunk software never hashes the ID. In this case, IDs that
  are too long cause the search to fail.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 230

search_keepalive_frequency = <integer>
* Specifies how often, in milliseconds, a keepalive is sent while a search
  is running.
* Default: 30000 (30 seconds)

search_keepalive_max = <integer>
* The maximum number of uninterupted keepalives before the connection is closed.
* This counter is reset if the search returns results.
* Default: 100

search_retry = <Boolean>
* Specifies whether the Splunk software reruns all or elements of a currently 
  running search process when the search process is affected by indexer
  failures in an indexer clustering environment. 
  * Indexers can fail during rolling restart or indexer upgrade when indexer
    clustering is enabled. Indexer reboots can also result in failures.
* When set to 'true', the Splunk software attempts to rerun search processes 
  that are affected by indexer failures. The Splunk software can rerun entire 
  searches and it can rerun searches from the indexer fail point. Do not set 
  the value to "1" to indicate "true", because some systems might not parse 
  this value correctly.
  * NOTE: Splunk software performs search reruns on a best effort basis. When 
    you enable this setting it is possible for Splunk software to return 
    partial results for searches without warning.
* When set to 'false', search processes stop returning results from specific 
  indexers when those indexers fail, and the Splunk software does not rerun 
  those searches.
* Default: false

search_retry_max_historical = <integer>
* Specifies the maximum number of attempts that the Splunk software makes to  
  rerun a historical search as described by 'search_retry'. 
* This setting is applied only when 'search_retry = true'.
* This setting applies only to historical searches.
* When the number of attempts exceeds 'search_retry_max_historical', the search 
  fails with an error stating that results are incomplete.
* Default: 15


search_retry_waiting_time = <integer>
* Sets how long, in seconds, 'search_retry' waits to get updated indexer 
  information. 
* The wait time required for recovery after indexer failure can vary depending 
  on your indexer environment. 
* Increase this value if your environment needs more recovery time to get 
  updated indexer information.
* The value should be >= 1
* Default: 70

stack_size = <integer>
* The stack size, in bytes, of the thread that executes the search.
* Default: 4194304 (4MB)

summary_mode = [all|only|none]
* Specifies if precomputed summary data are to be used.
* When set to "all": Use summary data if possible, otherwise use raw data.
* When set to "only": Use summary data if possible, otherwise do not use
  any data.
* When set to "none": Never use precomputed summary data.
* Default: all

track_indextime_range = <boolean>
* Specifies if the system should track the _indextime range of returned
  search results.
* Default: true

use_bloomfilter = <boolean>
* Specifies whether the Splunk software uses Bloom filters to optimize searches.
* When set to 'true', the Splunk software consults 'bloomfilter' files that may 
  be present in index buckets to determine whether those buckets contain 
  relevant search terms, thereby enabling the software to skip search of tsidx 
  files that do not have relevant search terms. In this way, Bloom filter usage 
  can improve search performance.
* When set to 'false', the Splunk software searches tsidx summary files without 
  filtering out tsidx files that do not have relevant terms.  
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

use_metadata_elimination = <boolean>
* Control whether to use metadata to rule out buckets.
* Default: true

results_serial_format = [csv|srs]
* The internal format used for storing serialized results on disk.
* Options:
*    csv: Comma-separated values format
*    srs: Splunk binary format
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: srs

results_compression_algorithm = [gzip|zstd|none]
* The compression algorithm used for storing serialized results on disk.
* Options:
*    gzip: gzip
*    zstd: zstd
*    none: No compression
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: zstd

record_search_telemetry = <boolean>
* Controls whether to record search related metrics in search_telemetry.json
  in the dispatch dir. It also indexes this file to the _introspection index.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true


search_telemetry_file_limit = <integer>
* Sets a limit to the number of telemetry files that the Splunk software can
  copy to the var/run/splunk/search_telemetry/ directory, so that it may index
  them in the _introspection index.
* Once this limit is reached, the Splunk software stops adding telemetry files
  to the directory for indexing.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 500


search_telemetry_component_limit = <integer>
* Sets a limit to the size (in bytes) of each of the constituent components in
  the search telemetry json representation.
* Once this limit is reached, the Splunk software will replace the constituent
  component with a simple value: "trimmed".
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 10000

use_dispatchtmp_dir = <boolean>
* DEPRECATED. This setting has been deprecated and has no effect.

auto_cancel_after_pause = <integer>
* Specifies the amount of time, in seconds, that a search must be paused before
  the search is automatically cancelled.
* If set to 0, a paused search is never automatically cancelled.
* Default: 0

always_include_indexedfield_lispy = <boolean>
* Whether or not search always looks for a field that does not have
  "INDEXED = true" set in fields.conf using both the indexed and non-
  indexed forms.
* If set to "true", when searching for <field>=<value>, the lexicon is
  searched for both "<field>::<value>" and "<value>".
* If set to "false", when searching for <field>=<val>, the lexicon is
  searched only for "<value>".
* Set to "true" if you have fields that are sometimes indexed and
  sometimes not indexed.
* For field names that are always indexed, it is much better
  for performance to set "INDEXED = true" in fields.conf for
  that field instead.
* Default: true

indexed_fields_expansion = <boolean>
* Specifies whether search scopes known indexed fields with the source types
  that they are known to be indexed with.
* When set to 'true', for every field known to be indexed, the Splunk software
  converts every known field=val statement to field::val, scoped with the
  applicable sourcetypes.
* Default: true

max_searchinfo_map_size = <integer>
* Maximum number of entries in each SearchResultsInfo data structure map that
  are used to track information about search behavior
* Default: 50000

track_matching_sourcetypes = <boolean>
* if true, keeps track of the number of events of each sourcetype that match a
  search, and store that information in info.csv
* Default: true

search_launch_timeout_seconds = <positive integer>
* The maximum amount of time, in seconds, to wait before a search job
  is launched successfully.
* If a search job does not launch after the timeout interval elapses, 
  the job terminates as a search failure.
* If search jobs time out frequently before successfully launching, check 
  whether the server running Splunk software is overloaded. Alternatively, 
  change this setting to a number greater than 180.
* For most deployments, 180 seconds is sufficient.  
* Default: 180

search_startup_config_timeout_ms = <positive integer>
* The amount of time allowed in milliseconds to initialize a search job's  
  configuration, including the knowledge bundle.
* If initializing the search configuration takes longer than the time allowed 
  by this setting, the 'DISPATCH_RUNNER:SLOW_CONFIG_INITIAL' warning message 
  is displayed in Splunk Web.
* This setting is used only to monitor search performance. 
* Default: 3000

max_audit_sourcetypes = <integer>
* if track_matching_sourcetypes = true, the matching sourcetypes
  for a search will be written to the info=completed audit.log message
  upon completion of the search, up to max_audit_sourcetypes.
* If max_audit_sourcetypes is set to 0, sourcetype information
  will not be added to audit.log.
* If the number of matching sourcetypes exceeds the max_audit_sourcetypes
  setting, the sourcetypes with the greatest number of matching
  events will be included.
* Default: 100

use_search_evaluator_v2 = <boolean>
* If true, search evaluator v2 is used.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

use_bucket_predictor_v2 = <boolean>
* If set to "true", uses version 2 of the bucket predictor,
  which improves sparse SmartStore search performance. If set to "false",
  search uses the older version of the bucket predictor.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: false

execute_postprocess_in_search = <boolean>
* If true, try to run postprocess searches ahead of time in the search process
  instead of the main splunkd process.
* Default: true

max_fieldmeta_cnt_ui = <number>
* The maximum number of field metadata displayed in the /jobs/fieldmeta endpoint.
* When viewing the search job status for searches with a large
  number of field metadata, decreasing this value will reduce the memory load on
  splunkd mothership, but show less field metadata in the web UI.
* Default: 1000


Parsing

# This section contains settings related to parsing searches.

max_macro_depth = <integer>
* Maximum recursion depth for macros. Specifies the maximum levels for macro
  expansion.
* It is considered a search exception if macro expansion does not stop after
  this many levels.
* Value must be greater than or equal to 1.
* Default: 100

max_subsearch_depth = <integer>
* Maximum recursion depth for subsearches. Specifies the maximum levels for
  subsearches.
* It is considered a search exception if a subsearch does not stop after
  this many levels.
* Default: 8

min_prefix_len = <integer>
* The minimum length of a prefix before a wildcard (*) to use in the query
  to the index.
* Default: 1

use_directives = <boolean>
* Specifies whether a search can take directives and interpret them
  into arguments.
* This is used in conjunction with the search optimizer in order to
  improve search performance.
* Default: true

Phased execution settings

# This section contains settings for multi-phased execution

phased_execution = <boolean>
* DEPRECATED: This setting has been deprecated.

phased_execution_mode = [multithreaded|auto|singlethreaded]
* DEPRECATED: This setting has been deprecated.
* Controls whether searches use the multiple-phase method of search execution,
  which is required for parallel reduce functionality as of Splunk Enterprise
  7.1.0.
* When set to 'multithreaded' the Splunk platform uses the multiple-phase
  search execution method. Allows usage of the 'prjob' command
  and the 'redistribute' command.
* When set to 'auto', the Splunk platform uses the multiple-phase search
  execution method when the 'prjob' command or the 'redistribute' command
  are used in the search string. If neither the 'prjob' command nor the
  'redistribute' command are present in the search string, the single-phase
  search execution method is used.
* When set to 'singlethreaded' the Splunk platform uses the single-threaded
  search execution method, which does not allow usage of the 'prjob' command
  or the 'redistribute' command.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: multithreaded

Preview

# This section contains settings for previews.

max_preview_period = <integer>
* The maximum time, in seconds, between previews.
* Used with the preview interval that is calculated with the
  'preview_duty_cycle' setting.
* When set to "0": Specifies unlimited time between previews.
* Default: 0

min_preview_period = <integer>
* The minimum time, in seconds, required between previews. When the calculated
  interval using 'preview_duty_cycle' indicates previews should be run
  frequently. This setting is used to limit the frequency with which previews
  run.
* Default: 1

preview_duty_cycle = <number>
* The maximum time to spend generating previews, as a fraction of the total
  search time.
* Must be > 0.0 and < 1.0
* Default: 0.25

preview_freq = <timespan> or <decimal>
* The minimum amount of time between results preview updates.
* You can specify values for this setting in one of two formats: 
  * As a span of time. In this format, you specify an integer and a character 
    that represents a time unit, for example, "10s" means 10 seconds. The 
    preview updates every period of 'preview_freq'.
  * As a ratio of the amount of time that the search has been running. In this 
    format, you specify a decimal. The preview updates as a ratio of the amount 
    of time that the search has ben running, or as a ratio of the length of the 
    time window for real-time windowed searches.
* If you use the ratio format, you must specify a decimal number above 0 and 
  less than 1.
* A setting of 0 disables preview_freq, meaning that there are no limits to the 
  minimum time between previews. 
* NOTE: Change this setting only when instructed to do so by Splunk Support.
* Default: 0.05

max_preview_generation_inputcount = <unsigned integer>
* The maximum number of input result rows that the search head can use to
  generate search result previews.
* NOTE: This setting doesn't apply to Splunk-to-Splunk federated searches.
  To change your federated search configuration, use the 
  'max_preview_generation_inputcount' setting in the federated.conf file.
* This limit doesn't stop searches from completing and returning final
  result sets.
* When a search reaches this limit, preview generation processes only the 
  first number of rows specified by the 'max_preview_generation_inputcount' 
  setting in order to generate the preview results.
* Change the value of this setting to a number above zero if your
  searches are being terminated because their preview generation duration exceeds
  a timeout set by another component in your network, such as an elastic load
  balancer (ELB).
  * For example, if you have an ELB that times out at 60 seconds, you might set
    the 'max_preview_generation_inputcount' to "500000".
* A setting of "0" means that the preview generation input count of searches is
  unlimited.
* Default: 0

Quota or queued searches

# This section contains settings for quota or queued searches.

default_allow_queue = <boolean>
* Unless otherwise specified by using a REST API argument, specifies if an
  asynchronous job spawning request should be queued on quota violation.
  If not, an http error of server too busy is returned.
* Default: 1 (true)

dispatch_quota_retry = <integer>
* The maximum number of times to retry to dispatch a search when the quota has
  been reached.
* Default: 1

dispatch_quota_sleep_ms = <integer>
* The time, in milliseconds, between retrying to dispatch a search when a
  quota is reached.
* Retries the given number of times, with each successive wait 2x longer than
  the previous wait time.
* Default: 10

enable_cumulative_quota = <boolean>
* Specifies whether to enforce cumulative role based quotas.
* Default: false

queued_job_check_freq = <number>
* Frequency, in seconds, to check queued jobs to determine if the jobs can
  be started.
* Fractional seconds are allowed.
* Default: 1.

Reading chunk controls

# This section contains settings for reading chunk controls.

chunk_multiplier = <integer>
* A multiplier that the 'max_results_perchunk', 'min_results_perchunk', and
  'target_time_perchunk' settings are multiplied by for a long running search.
* Default: 5

long_search_threshold = <integer>
* The time, in seconds, until a search is considered "long running".
* Default: 2

max_rawsize_perchunk = <integer>
* The maximum raw size, in bytes, of results for each call to search
  (in dispatch).
* When set to "0": Specifies that there is no size limit.
* This setting is not affected by the 'chunk_multiplier' setting.
* Default: 100000000 (100MB)

max_results_perchunk = <integer>
* Maximum results for each call to search (in dispatch).
* Must be less than or equal to the 'maxresultrows' setting.
* Default: 2500

min_results_perchunk = <integer>
* The minimum results for each call to search (in dispatch).
* Must be less than or equal to the 'max_results_perchunk' setting.
* Default: 100

target_time_perchunk = <integer>
* The target duration, in milliseconds, of a particular call to fetch
  search results.
* Default: 2000 (2 seconds)

Real-time

# This section contains settings for real-time searches.

check_splunkd_period = <number>
* Amount of time, in seconds, that determines how frequently the search process
  (when running a real-time search) checks whether the parent process
  (splunkd) is running or not.
* Fractional seconds are allowed.
* Default: 60 (1 minute)

realtime_buffer = <integer>
* Maximum number of accessible events to keep for real-time searches in
  Splunk Web.
* Acts as circular buffer after this buffer limit is reached.
* Must be greater than or equal to 1.
* Default: 10000

Remote storage

# This section contains settings for remote storage.

bucket_localize_acquire_lock_timeout_sec = <integer>
* The maximum amount of time, in seconds, to wait when attempting to acquire a
  lock for a localized bucket.
* When set to 0, waits indefinitely.
* This setting is only relevant when using remote storage.
* Default: 60 (1 minute)

bucket_localize_connect_timeout_max_retries = <integer>
* The maximum number of times to retry when getting connect timeouts
  while trying to localize a bucket.
* When set to 0, do not retry
* This setting is only relevant when using remote storage.
* Default: 5

bucket_localize_max_timeout_sec = <integer>
* The maximum amount of time, in seconds, to spend localizing a bucket stored
  in remote storage.
* If the bucket contents (what is required for the search) cannot be localized
  in that timeframe, the bucket will not be searched.
* When set to "0": Specifies an unlimited amount of time.
* This setting is only relevant when using remote storage.
* Default: 300 (5 minutes)

bucket_localize_status_check_period_ms = <integer>
* The amount of time, in milliseconds, between consecutive status checks to see
  if the needed bucket contents required by the search have been localized.
* This setting is only relevant when using remote storage.
* The minimum and maximum values are 10 and 60000, respectively.  If the
  specified value falls outside this range, it is effectively set to the
  nearest value within the range.  For example, if you set the value to
  70000, the effective value will be 60000.
* Default: 50 (.05 seconds)

bucket_localize_status_check_backoff_start_ms = <integer>
* When explicitly set, and different from bucket_localize_status_check_period_ms,
  enables exponential backoff between consecutive status checks for bucket
  localization. Starting from the specified amount of time, in milliseconds, up to
  bucket_localize_status_check_period_ms.
* This setting is only relevant when using remote storage.
* Setting this option is beneficial when bucket contents localize quickly (e.g., in
  less time than the minimal allowed value for bucket_localize_status_check_period_ms),
  or with high variability.
* The minimum and maximum values are 1 and bucket_localize_status_check_period_ms,
  respectively. If the specified value falls outside this range, it is effectively
  set to the nearest value within the range.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 0 (no backoff)

bucket_localize_max_lookahead = <integer>
* Specifies the maximum number of buckets the search command localizes
  for look-ahead purposes, in addition to the required bucket.
* Increasing this value can improve performance, at the cost of additional
  network/io/disk utilization.
* Valid values are 0-64. Any value larger than 64 will be set to 64. Other
  invalid values will be discarded and the default will be substituted.
* This setting is only relevant when using remote storage.
* Default: 5

bucket_localize_lookahead_priority_ratio = <integer>
* A value of N means that lookahead localizations will occur only 1 out of N
  search localizations, if any.
* Default: 5

bucket_predictor = [consec_not_needed|everything]
* Specifies which bucket file prediction algorithm to use.
* Do not change this unless you know what you are doing.
* Default: consec_not_needed

Results storage

# This section contains settings for storing final search results.

max_count = <integer>
* The number of events that can be accessible in any given status bucket
  (when status_buckets = 0).
* The last accessible event in a call that takes a base and count.
* NOTE: This value does not reflect the number of events displayed in the
  UI after the search is evaluated or computed.
* Default: 500000

max_events_per_bucket = <integer>
* For searches with 'status_buckets>0', this setting limits the number of
  events retrieved for each timeline bucket.
* Default: 1000 in code.

status_buckets = <integer>
* The approximate maximum number buckets to generate and maintain in the
  timeline.
* Default: 0, which means do not generate timeline information

read_final_results_from_timeliner = <boolean>
* When you run a search of event data where 'status_buckets > 0', this setting
  controls the contents of the results.csv.gz and results.srs.zstd files in the
  search artifact.
* When set to "true", the final results saved to disk by the search process on
  the search head are a sample of events ready from the timeliner. Do not set 
  the value to "1" to indicate "true", because some systems might not parse 
  this value correctly.
* When set to "false", the final results saved to disk by the search process on
  the search head are all events produced by the last SPL command, up to a
  limit of 'max_count' events.
* The 'read_final_results_from_timeliner' setting affects the output of
  subsequent 'loadjob' searches.
    * When set to "true" the 'loadjob' search returns the sample of the final
      results, not the full result set. For example, if the full result set is
      10k results, it might return only 1000 results.
    * When set to "false" the 'loadjob' search returns the full set of search
      results. For example, if the full result set is 10k results, it returns 10k
      results.
* Default: true

field_filters = <boolean>
* Determines whether field filters can be used to protect sensitive data in
  Splunk platform indexes.
* When set to "true": field filters are turned on.
* When set to "false": field filters are turned off.
* Default: true

truncate_report = [1|0]
* Specifies whether or not to apply the 'max_count' setting to report output.
* Default: 0 (false)

write_multifile_results_out = <boolean>
* At the end of the search, if results are in multiple files, write out the
  multiple files to the results_dir directory, under the search results
  directory.
* This setting speeds up post-processing search, since the results will
  already be split into appropriate size files.
* Default: true

Search process

# This section contains settings for search process configurations.

idle_process_cache_search_count = <integer>
* The number of searches that the search process must reach, before purging
  older data from the cache. The purge is performed even if the
  'idle_process_cache_timeout' has not been reached.
* When a search process is allowed to run more than one search, the search
  process can cache some data between searches.
* When set to a negative value: No purge occurs, no matter how many
  searches are run.
* Has no effect on Windows if 'search_process_mode' is not set to "auto"
  or if 'max_searches_per_process' is set to "0" or "1".
* Default: 8

idle_process_cache_timeout = <number>
* The amount of time, in seconds, that a search process must be idle before
  the system purges some older data from these caches.
* When a search process is allowed to run more than one search, the search
  process can cache some data between searches.
* When set to a negative value: No purge occurs, no matter on how long the
  search process is idle.
* When set to "0": Purging always occurs, regardless of whether the process
  has been idle or not.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: 0.5 (seconds)

idle_process_regex_cache_hiwater = <integer>
* A threshold for the number of entries in the regex cache. If the regex cache
  grows to larger than this number of entries, the systems attempts to
  purge some of the older entries.
* When a search process is allowed to run more than one search, the search
  process can cache compiled regex artifacts.
* Usually the 'idle_process_cache_search_count' and the
  'idle_process_cache_timeout' settings keep the regex cache at a
  reasonable size.  This setting prevents the cache from growing
  extremely large during a single large search.
* When set to a negative value: No purge occurs, not matter how large
  the cache.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: 2500

idle_process_reaper_period = auto | <number>
* The amount of time, in seconds, between checks to determine if there are
  too many idle search processes.
* When a search process is allowed to run more than one search, the system
  checks if there are too many idle search processes.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: 30

launcher_max_idle_checks = auto | <integer>
* Specifies the number of idle processes that are inspected before giving up
  and starting a new search process.
* When allowing more than one search to run for each process, the system
  attempts to find an appropriate idle process to use.
* When set to a negative value: Every eligible idle process is inspected.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process is set to "0" or "1".
* Default: 5

launcher_threads = <integer>
* The number of server thread to run to manage the search processes.
* Valid only when more than one search is allowed to run for each process.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: -1 (a value is selected automatically)

max_idle_process_count = auto | <integer>
* The maximum number of preforked search processes that are
  allowed to be idle and reused by later search execution.
* The setting is valid if the 'enable_search_process_long_lifespan' 
  setting in the server.conf file is set to "true". Otherwise, it is
  set to zero when "enable_search_process_long_lifespan = false".
* If the total number of idle search processes exceeds this setting, 
  some processes are reaped until the number meets the setting.
* Adjust this setting to control how the Splunk server memory is used by 
  idle search processes. The Splunk server can consume more system memory
  when the number of idle search processes is higher.
* When set to "auto": the initial value is set to 64.
* When set to "-1" or another negative value: the setting has no limit.
* This setting is not applied on computers running Windows or when 
  'search_process_mode' is not "auto".
* Default: auto

max_idle_process_memory = auto | <integer>
* The maximum amount of memory (RSS) in KB used by a search process that is
  allowed to be idle and reused later after running successfully.
* The setting is valid if the 'enable_search_process_long_lifespan' 
  setting in the server.conf file is set to "true".
* If the memory used by a search process when it runs exceeds this setting, 
  the process is not reusable. As a result, the process exits after it runs.
* Use this setting to prevent a search process from potential OOM issues 
  due to the increase in memory usage after the process has been reused
  too many times.
* When set to "auto": The initial default value is set to "(1024*1024)" KB 
  and subsequently adjusted automatically depending on the amount of system 
  memory that is available to Splunk software.
* When set to "-1" or another negative value: The memory size is not limited.
* Has no effect on Windows or if "search_process_mode" is not "auto".
* Default: auto

max_search_process_pool = auto | <integer>
* The maximum number of search processes that can be launched to run searches
  in the pool of preforked search processes.
* The setting is valid if the 'enable_search_process_long_lifespan' setting  
  in the server.conf file is set to "true".
* Use this setting to limit the total number of running search processes on
  a search head or peer that is prevented from being overloaded or using
  high system resources (CPU, Memory, etc).
* When set to "auto": Splunk server determines the pool size by multiplying 
  the number of CPU cores and the allowed number of search processes (16). 
  The pool size is 64 at minimum.
* When set to "-1" or another negative value: The pool size is not limited.
* Has no effect on Windows or if "search_process_mode" is not "auto".
* Default: 2048

max_old_bundle_idle_time = auto | <number>
* The amount of time, in seconds, that a process bundle must be idle before
  the process bundle is considered for reaping.
* Used when reaping idle search processes and the process is not configured
  with the most recent configuration bundle.
* When set to "auto": Splunk software uses the internal default value.
  If the 'enable_search_process_long_lifespan' setting in the server.conf
  file is set to "true", the default value is "300". Otherwise, it is "5".
* When set to "-1" or negative value: The idle processes are not reaped sooner
  than normal if the processes are using an older configuration bundle.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: 5

max_searches_per_process = <integer>
* Specifies the maximum number of searches that each search process can run 
  before exiting.
* After a search completes, the search process can wait for another search to
  start and the search process can be reused.
* When set to "0" or "1": The process is never reused.
* When set to a negative value: There is no limit to the number of searches
  that a process can run.
* Has no effect on Windows if 'search_process_mode' is not set to "auto".
* Default: 500 (Linux) 
* Default: 1 (Windows)

max_searches_started_per_cycle = <integer>
* Specifies the number of new, concurrent searches started by the search
  launcher in a cycle.
* This limits the contention between running searches and new searches,
  improving search process reuse, and efficiency. 
* Note: Do not change this setting unless instructed to do so by Splunk
  Support.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or if
  'max_searches_per_process' is set to "0" or "1".
* Default: 30

max_time_per_process = auto | <number>
* Specifies the maximum time, in seconds, that a process can spend running
  searches.
* When a search process is allowed to run more than one search, limits how
  much time a process can accumulate running searches before the process
  must exit.
* When set to a negative value: There is no limit on the amount of time a
  search process can spend running.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* NOTE: A search can run longer than the value set for 'max_time_per_process'
  without being terminated. This setting ONLY prevents the process from
  being used to run additional searches after the maximum time is reached.
* Default: auto

process_max_age = <number>
* Specifies the maximum age, in seconds, for a search process.
* When a search process is allowed to run more than one search, a process
  is not reused if the process is older than the value specified.
* When set to a negative value: There is no limit on the age of the
  search process.
* This setting includes the time that the process spends idle, which is
  different than "max_time_per_process" setting.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* NOTE: A search can run longer than the time set for 'process_max_age'
  without being terminated. This setting ONLY prevents that process from
  being used to run more searches after the search completes.
* Default: 7200 (120 minutes or 2 hours)

process_min_age_before_user_change = auto | <number>
* The minimum age, in seconds, of an idle process before using a process
  from a different user.
* When a search process is allowed to run more than one search, the system
  tries to reuse an idle process that last ran a search by the same Splunk
  user.
* If no such idle process exists, the system tries to use an idle process
  from a different user. The idle process from a different user must be
  idle for at least the value specified for the
  'process_min_age_before_user_change' setting.
* When set to "0": Any idle process by any Splunk user can be reused.
* When set to a negative value: Only a search process by same Splunk user
  can be reused.
* Has no effect on Windows if 'search_process_mode' is not set to "auto" or
  if 'max_searches_per_process' is set to "0" or "1".
* Default: 4

search_process_mode = [auto|traditional|debug <debugging-command> <debugging-args>]
* Controls how search processes are started.
* When set to "traditional": Each search process is initialized completely
  from scratch.
* When set to "debug": When set to a string beginning with "debug",
  searches are routed through the <debugging-command>, where the user can
  "plug in" debugging tools.
  * The <debugging-command> must reside in one of the following locations:
    * $SPLUNK_HOME/etc/system/bin/
    * $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
    * $SPLUNK_HOME/bin/scripts/
  * The <debugging-args> are passed, followed by the search command it
    would normally run, to <debugging-command>
    * For example, given the following setting:
        search_process_mode = debug $SPLUNK_HOME/bin/scripts/search-debugger.sh 5
      A command similar to the following is run:
        $SPLUNK_HOME/bin/scripts/search-debugger.sh 5 splunkd search \
        --id=... --maxbuckets=... --ttl=... [...]
* Default: auto

search_process_configure_oom_score_adj = <boolean>
* Determines whether to increase the value of the oom_score (Out of Memory
  Score) for search processes.
* The oom_score is proportional to the amount of memory used by the process,
  and shows how likely the system is to terminate the process due to low
  available memory. When memory runs low, the system kills the process with the
  highest oom_score to free the most memory.
* If set to true, when system runs out of memory, the kernel preferentially
  kills search processes to protect the main splunkd process and make the
  overall service more stable.
* Applies to Linux operating system only.
* Default: true.

search_process_set_oom_score_adj = <integer>
* Specifies the value added to the existing oom_score for search processes.
* Applies only when 'search_process_configure_oom_score_adj' is set to true.
* The higher the value, the more likely the system is to kill search processes
  before the main splunkd process, decreasing the risk of a Splunk software
  crash.
* Supports integers between 0 and 1000. If set to 0, this setting has no
  effect on searches.
* Generally, the highest oom_score of main splunkd process is less than 700.
  Thus, by adding the default value, in most cases the system is likely to kill
  search processes before it kills the main splunkd process.
* Default: 700.

search_messages.log


log_search_messages = <boolean>
* Specifies whether splunkd promotes user-facing search messages
  from $SPLUNK_HOME/var/run/splunk/dispatch/<sid>/info.csv to
  $SPLUNK_HOME/var/log/splunk/search_messages.log.
* Splunkd does not promote messages with a severity that is ranked
  lower than the value of search_messages_severity.
* Splunkd promotes messages only after search has been audited.
* The search_messages.log file follows this format when it logs messages:
  orig_component="..." sid="..." peer_name="..." message=...
* Default: true

search_messages_severity = <string>
* When 'log_search_messages = true', this setting specifies the lowest
  severity of message that splunkd logs to search_messages.log.
  The processor ignores all messages with a lower severity.
* Possible values in ascending order: DEBUG, INFO, WARN, ERROR
  * For example, when 'search_messages_severity = WARN', splunkd logs
    only messages with 'WARN' and 'ERROR' severities.
* Default: WARN

Search reuse

# This section contains settings for search reuse.

allow_reuse = <boolean>
* Specifies whether to allow normally executed historical searches to be
  implicitly re-used for newer requests if the newer request allows it.
* Default: true

reuse_map_maxsize = <integer>
* Maximum number of jobs to store in the reuse map.
* Default: 1000

Splunk Analytics for Hadoop

# This section contains settings for use with Splunk Analytics for Hadoop.

reduce_duty_cycle = <number>
* The maximum time to spend performing the reduce, as a fraction of total
  search time.
* Must be > 0.0 and < 1.0.
* Default: 0.25

reduce_freq = <integer>
* When the specified number of chunks is reached, attempt to reduce
  the intermediate results.
* When set to "0": Specifies that there is never an attempt to reduce the
  intermediate result.
* Default: 10

remote_reduce_limit = <unsigned long>
* The number of results processed by a streaming search before a reduce
  is forced.
* NOTE: this option applies only if the search is run with --runReduce=true
  (currently only Splunk Analytics for Hadoop does this)
* When set to "0": Specifies that there is no limit.
* Default: 1000000

unified_search = <boolean>
* Specifies if unified search is turned on for hunk archiving.
* Default: false

Status

# This section contains settings for search status.

status_cache_size = <integer>
* The number of status data for search jobs that splunkd can cache in RAM.
  This cache improves performance of the jobs endpoint.
* Default: 10000

status_period_ms = <integer>
* The minimum amount of time, in milliseconds, between successive
  status/info.csv file updates.
* This setting ensures that search does not spend significant time just
  updating these files.
  * This is typically important for very large number of search peers.
  * It could also be important for extremely rapid responses from search
    peers, when the search peers have very little work to do.
* Default: 1000 (1 second)

Timelines

# This section contains settings for timelines.

remote_event_download_finalize_pool = <integer>
* Size of the pool, in threads, responsible for writing out the full
  remote events.
* Default: 5

remote_event_download_initialize_pool = <integer>
* Size of the pool, in threads, responsible for initiating the remote
  event fetch.
* Default: 5

remote_event_download_local_pool = <integer>
* Size of the pool, in threads, responsible for reading full local events.
* Default: 5

remote_timeline = <boolean>
* Specifies if the timeline can be computed remotely to enable better
  map/reduce scalability.
* Default: 1 (true)

remote_timeline_connection_timeout = <integer>
* Connection timeout, in seconds, for fetching events processed by remote
  peer timeliner.
* Default: 5.

remote_timeline_fetchall = <boolean>
* When set to "1" (true): Splunk fetches all events accessible through the
  timeline from the remote peers before the job is considered done.
  * Fetching of all events might delay the finalization of some searches,
    typically those running in verbose mode from the main Search view in
    Splunk Web.
  * This potential performance impact can be mitigated by lowering the
    'max_events_per_bucket' settings.
* When set to "0" (false): The search peers might not ship all matching
  events to the search head, particularly if there is a very large number
  of them.
    * Skipping the complete fetching of events back to the search head will
      result in prompt search finalization.
    * Some events may not be available to browse in the UI.
* This setting does NOT affect the accuracy of search results computed by
  reporting searches.
* Default: 1 (true)

remote_timeline_max_count = <integer>
* Maximum number of events to be stored per timeline bucket on each search
  peer.
* Default: 10000

remote_timeline_max_size_mb = <integer>
* Maximum size of disk, in MB, that remote timeline events should take
  on each peer.
* If the limit is reached, a DEBUG message is emitted and should be
  visible in the job inspector or in messages.
* Default: 100

remote_timeline_min_peers = <integer>
* Minimum number of search peers for enabling remote computation of
  timelines.
* Default: 1

remote_timeline_parallel_fetch = <boolean>
* Specifies whether to connect to multiple peers at the same time when
  fetching remote events.
* Default: true

remote_timeline_prefetch = <integer>
* Specifies the maximum number of full eventuate that each peer should
  proactively send at the beginning.
* Default: 100

remote_timeline_receive_timeout = <integer>
* Receive timeout, in seconds, for fetching events processed by remote peer
  timeliner.
* Default: 10

remote_timeline_send_timeout = <integer>
* Send timeout, in seconds, for fetching events processed by remote peer
  timeliner.
* Default: 10

remote_timeline_thread = <boolean>
* Specifies whether to use a separate thread to read the full events from
  remote peers if 'remote_timeline' is used and 'remote_timeline_fetchall'
  is set to "true".
  Has no effect if 'remote_timeline' or 'remote_timeline_fetchall' is set to
  "false".
* Default: 1 (true)

remote_timeline_touchperiod = <number>
* How often, in seconds, while a search is running to touch remote timeline
  artifacts to keep the artifacts from being deleted by the remote peer.
* When set to "0": The remote timelines are never touched.
* Fractional seconds are allowed.
* Default: 300 (5 minutes)

timeline_events_preview = <boolean>
* When set to "true": Display events in the Search app as the events are
  scanned, including events that are in-memory and not yet committed, instead
  of waiting until all of the events are scanned to see the search results.
  You will not be able to expand the event information in the event viewer
  until events are committed.
* When set to "false": Events are displayed only after the events are
  committed (the events are written to the disk).
* This setting might increase disk usage to temporarily save uncommitted
  events while the search is running. Additionally, search performance might
  be impacted.
* Default: false

timeline_freq = <timespan> or <ratio>
* The minimum amount of time, in seconds, between timeline commits.
* If specified as a number < 1 (and > 0), minimum time between commits is
  computed as a ratio of the amount of time that the search has been running.
* Default: 0

TTL


# This section contains time to live (ttl) settings.

cache_ttl = <integer>
* The length of time, in seconds, to persist search cache entries.
* Default: 300 (5 minutes)

default_save_ttl = <integer>
* How long, in seconds, the ttl for a search artifact should be extended in
  response to the save control action.
* When set to 0, the system waits indefinitely.
* Default: 604800 (1 week)

failed_job_ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  a job has failed. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 86400 (24 hours)

remote_ttl = <integer>
* How long, in seconds, the search artifacts from searches run in behalf of
  a search head should be stored on the indexer after completion.
* Default: 600 (10 minutes)

shc_cached_artifacts_ttl = <integer>
* The maximum amount of time, in seconds, that search artifacts generated by 
  asynchronous replication or downloaded from remote storage can persist on
  search head cluster members that did not originally run the search.
* NOTE: This setting does not apply to replicated artifacts containing a
  "shpoolManaged" file. Those replicas are removed when the original copy is
  removed.
* 'failed_job_ttl' takes precedence for artifacts from failed 
  search jobs and artifacts missing a metadata.csv file.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 86400 (24 hours)

ttl = <integer>
* How long, in seconds, the search artifacts should be stored on disk after
  the job completes. The ttl is computed relative to the modtime of the
  status.csv file of the job, if the file exists, or the modtime of the
  artifact directory for the search job.
* If a job is being actively viewed in the Splunk UI then the modtime of
  the status.csv file is constantly updated such that the reaper does not
  remove the job from underneath.
* Default: 600 (10 minutes)

check_search_marker_done_interval = <integer>
* The amount of time, in seconds, that elapses between checks of search marker
  files, such as hot bucket markers and backfill complete markers.
* This setting is used to identify when the remote search process on the
  indexer completes processing all hot bucket and backfill portions of
  the search.
* Default: 60

check_search_marker_sleep_interval = <integer>
* The amount of time, in seconds, that the process will sleep between
  subsequent search marker file checks.
* This setting is used to put the process into sleep mode periodically on the
  indexer, then wake up and check whether hot buckets and backfill portions
  of the search are complete.
* Default: 1

srtemp_dir_ttl = <integer>
* The time to live, in seconds, for the temporary files and directories
  within the intermediate search results directory tree.
* These files and directories are located in $SPLUNK_HOME/var/run/splunk/srtemp.
* Every 'srtemp_dir_ttl' seconds, the reaper removes files and directories
  within this tree to reclaim disk space.
* The reaper measures the time to live through the newest file modification time
  within the directory.
* When set to 0, the reaper does not remove any files or directories in this
  tree.
* Default: 86400 (24 hours)

search_transaction_establish_connection_max_retries = <integer>
* Controls the number of retries a search head performs when it initially 
  contacts search peers.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 3

Unsupported settings

# This section contains settings that are no longer supported.

enable_status_cache = <boolean>
* This is not a user tunable setting.  Do not use this setting without
  working in tandem with Splunk personnel.  This setting is not tested at
  non-default.
* This controls whether the status cache is used, which caches information
  about search jobs (and job artifacts) in memory in main splunkd.
* Normally this cacheing is enabled and assists performance. However, when
  using Search Head Pooling, artifacts in the shared storage location will be
  changed by other search heads, so this cacheing is disabled.
* Explicit requests to jobs endpoints , eg /services/search/jobs/<sid> are
  always satisfied from disk, regardless of this setting.
* Default (when search head pooling is not enabled): true
* Default (when search head pooling is enabled): false

status_cache_in_memory_ttl = <positive integer>
* This is not a user tunable setting. Do not use this setting without working
  in tandem with Splunk personnel. This setting is not tested at non-default.
* This setting has no effect unless search head pooling is enabled, AND
  enable_status_cache has been set to true.
* If set, controls the number of milliseconds which a status cache entry may be
  used before it expires.
* Default: 60000 (60 seconds)

Unused settings

# This section contains settings that have been deprecated. These settings
# remain listed in this file for backwards compatibility.

max_bucket_bytes = <integer>
* This setting has been deprecated and has no effect.

rr_min_sleep_ms = <integer>
* REMOVED.  This setting is no longer used.

rr_max_sleep_ms = <integer>
* REMOVED.  This setting is no longer used.

rr_sleep_factor = <integer>
* REMOVED.  This setting is no longer used.


Distributed search throttling

# This section describes peer-side settings for distributed search throttling.

[search_throttling::per_cpu]

max_concurrent = <unsigned integer>
* Sets the maximum number of remote searches for each available CPU.
  The total number of searches for this throttling type is thus calculated as:
  max_searches = max_concurrent x number_of_cpus
* When the calculated value is exceeded, search requests are rejected until the number
  of concurrent searches falls below the limit.
* A value of 0 disables throttling.
* This setting is relevant only when used with 'remote_search_requests_throttling_type'.
* Default: 12

[search_throttling::physical_ram]

min_memory_per_search = <unsigned integer>[KB|MB|GB]
* Sets the minimum memory requirement per search instance.
  The total number of searches for this throttling type is thus calculated as:
  max_searches = available_system_memory / min_memory_per_search
* When the calculated value is exceeded, search requests are rejected until the number
  of concurrent searches falls below the limit.
* A value of 0 disables throttling.
* This setting is relevant only when used with 'remote_search_requests_throttling_type'.
* Specify this value as an integer followed by KB, MB, or GB (for example,
  10MB is 10 megabytes)
* Default: 450MB


OTHER COMMAND SETTINGS


# This section contains the stanzas for the SPL commands, except for the
# search command, which is in separate section.

[anomalousvalue]

maxresultrows = <integer>
* Configures the maximum number of events that can be present in memory at one
  time.
* Default: The value set for 'maxresultrows' in the [searchresults] stanza,
  which is 50000 by default.

maxvalues = <integer>
* Maximum number of distinct values for a field.
* Default: 0

maxvaluesize = <integer>
* Maximum size, in bytes, of any single value (truncated to this size if
  larger).
* Default: 0

[associate]

maxfields = <integer>
* Maximum number of fields to analyze.
* Default: 10000

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Default: 0

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Default: 0

[autoregress]

maxp = <integer>
* Maximum number of events for auto regression.
* Default: 10000

maxrange = <integer>
* Maximum magnitude of range for p values when given a range.
* Default: 1000

[collect]

format_multivalue_collect = <boolean>
* Specifies whether the 'collect' processor should format multivalued fields
  specially when it collects them into a summary index.
* A setting of 'true' means that the 'collect' processor will break each
  value of a multivalue field out into a discrete key/value pair.
  * For example, when this setting is 'true' and the 'collect' processor is
    given the field 'alphabet' with values 'a, b, c', the 'collect' processor
    adds the following fields to the summary index:
    alphabet="a", alphabet="b", alphabet="c"
* A setting of 'false' means that the 'collect' processor will collect
  each multivalued field as a single key with values listed and
  newline-separated.
  * For example, when this setting is 'false' and the 'collect' processor is
    given the field 'alphabet' with values 'a, b, c', the 'collect' processor
    adds the following field to the summary index:
    alphabet="a
              b
              c"
* Default: false

collect_ignore_minor_breakers = <boolean>
* Specifies whether the 'collect' command adds quotation marks around field
  values containing major or minor breakers when the command collects those
  values into a summary index.
* A setting of 'true' means that the 'collect' command checks for major
  breakers in field values, such as spaces, square or curly brackets,
  parentheses, semicolons, or exclamation points. If 'collect' finds major
  breakers in a field value, it adds quotation marks to that field value. This
  enables the use of 'tstats' with the PREFIX() directive on fields that do not
  contain major breakers.
* A setting of 'false' means that the 'collect' command adds quotation marks
  when it finds either a minor breaker or a major breaker in a field value.
* For example, say you have the field-value pair 'user_name = name@spl.com'. In
  this case both '@' and '.' are minor breakers.
  * When 'collect_ignore_minor_breakers = true', the 'collect' command does not
    enclose the value of 'user_name' in quotation marks when it adds the
    field-value pair to the summary index: user_name = name@spl.com
  * When 'collect_ignore_minor_breakers = false', the 'collect' command encloses
    the value of 'user_name' in quotation marks because 'collect' detects that
    the value contains minor breakers. In this case, this is what 'collect'
    adds to the summary index: user_name = "name@spl.com"
* Default: false

[concurrency]

max_count = <integer>
* Maximum number of detected concurrencies.
* Default: 10000000

[correlate]

maxfields = <integer>
* Maximum number of fields to correlate.
* Default: 1000

[ctable]

* This stanza controls settings for the contingency command.
* Aliases for the contingency command are: ctable and counttable.

maxvalues = <integer>
* Maximum number of columns/rows to generate (the maximum number of distinct
  values for the row field and column field).
* Default: 1000

[dbinspect]

maxresultrows = <integer>
* The maximum number of result rows that the dbinspect command can fetch
  at one time.
* A smaller value uses less search head memory in scenarios with large
  number of buckets. However, setting the value too small decreases
  search performance.
* Note: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 50000

[discretize]

* This stanza contains the settings for the bin command.
* Aliases for the bin command are: bucket and discretize.

default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins
  to use if no span or bins is specified.
* Default: 100

maxbins = <integer>
* Maximum number of bins to discretize into.
* If 'maxbins' is not specified or = 0, 'maxbins' uses the value set for
  'maxresultrows' in the [searchresults] stanza, which is 50000 by default.
* Default: 50000

[eval]

printf_max_precision = <non-negative integer>
* The maximum usable precision for 'printf' format strings.
* Default: 1000000
* NOTE: Do not change this setting unless instructed to do so by Splunk
  Support.

printf_max_width = <integer>
* The maximum usable width for 'printf' format strings.
* Default: 1000000
* NOTE: Do not change this setting unless instructed to do so by Splunk
  Support.

[findkeywords]

maxevents = <integer>
* Maximum number of events used by the findkeywords command and the
  Patterns tab.
* Default: 50000

[geomfilter]

enable_clipping = <boolean>
* Whether or not polygons are clipped to the viewport provided by the
  render client.
* Default: true

enable_generalization = <boolean>
* Whether or not generalization is applied to polygon boundaries to reduce
  point count for rendering.
* Default: true

[geostats]

filterstrategy = <integer>
* Controls the selection strategy on the geoviz map.
* Valid values are 1 and 2.

maxzoomlevel = <integer>
* Controls the number of zoom levels that geostats will cluster events on.

zl_0_gridcell_latspan = <decimal>
* Controls what is the grid spacing in terms of latitude degrees at the
  lowest zoom level, which is zoom-level 0.
* Grid-spacing at other zoom levels are auto created from this value by
  reducing by a factor of 2 at each zoom-level.

zl_0_gridcell_longspan = <decimal>
* Controls what is the grid spacing in terms of longitude degrees at the
  lowest zoom level, which is zoom-level 0
* Grid-spacing at other zoom levels are auto created from this value by
  reducing by a factor of 2 at each zoom-level.

[inputcsv]

mkdir_max_retries = <integer>
* Maximum number of retries for creating a tmp directory (with random name as
  subdir of SPLUNK_HOME/var/run/splunk)
* Default: 100

[iplocation]

db_path = <path>
* The absolute path to the GeoIP database in the MMDB format.
* The 'db_path' setting does not support standard Splunk environment
  variables such as SPLUNK_HOME.
* Default: The database that is included with the Splunk platform.

[join]

subsearch_maxout = <integer>
* The maximum number of result rows to output from subsearch to join against
* The join command subsearch results are restricted by two settings, 'subsearch_maxout'
setting in this stanza and 'maxresultrows' setting in the [searchresults] stanza.
* Default: 50000

subsearch_maxtime = <integer>
* Maximum search time, in seconds, before auto-finalization of subsearch.
* Default: 60

subsearch_timeout = <integer>
* Maximum time, in seconds, to wait for subsearch to fully finish.
* Default: 120
* DEPRECATED

[kmeans]

maxdatapoints = <integer>
* Maximum data points to do kmeans clusterings for.
* Default: 100000000 (100 million)

maxkrange = <integer>
* Maximum number of k values to iterate over when specifying a range.
* Default: 100

maxkvalue = <integer>
* Maximum number of clusters to attempt to solve for.
* Default: 1000

[lookup]

batch_index_query = <boolean>
* Should non-memory file lookups (files that are too large) use batched queries
  to possibly improve performance?
* Default: true

batch_response_limit = <integer>
* When doing batch requests, the maximum number of matches to retrieve.
* If more than this limit of matches would otherwise be retrieved, the lookup
  falls back to non-batch mode matching.
* Default: 5000000

max_lookup_messages = <positive integer>
* If more than "max_lookup_messages" log entries are generated, additional
  entries will not be logged in info.csv. All entries will still be logged in
  search.log.

max_matches = <integer>
* DEPRECATED: Use this setting in transforms.conf for lookup definitions.

max_memtable_bytes = <integer>
* Maximum size, in bytes, of static lookup file to use an in-memory index for.
* Lookup files with size above max_memtable_bytes will be indexed on disk
* NOTE: This setting also applies to lookup files loaded through the lookup()
  eval function *which runs at search time*. The same function if called through
  the ingest-eval functionality, uses ingest_max_memtable_bytes instead.
* CAUTION: Setting this to a large value results in loading large lookup
  files in memory. This leads to a bigger process memory footprint.
* Default: 26214400 (25MB)

ingest_max_memtable_bytes = <integer>
* Maximum size, in bytes, of static lookup file to use for a lookup when
  used in the ingest context. (i.e when used with the lookup() eval function
  at ingest time).
* Lookup files with size above ingest_max_memtable_bytes cannot be used for
  the lookup() eval function when used with the ingest-eval functionality.
* CAUTION: Setting this to a large value results in loading large lookup
  files in memory. This leads to a bigger process (splunkd) memory footprint.
* Default: 10485760 (10MB)

ingest_lookup_refresh_period_secs = <integer>
* Period of time, in seconds, after which the in-memory lookup tables that are used
  with the lookup() eval function at ingest time are refreshed.
* This does not apply if the lookup() function is used at search time.
* Default: 60 (1 minute).

indexed_csv_ttl = <positive integer>
* Specifies the amount of time, in seconds, that a indexed CSV lookup table
  can exist without update before it is removed by Splunk software.
* On a period set by 'indexed_csv_keep_alive_timeout', Splunk software checks
  the CSV lookup table to see if it has been updated. If it has been updated,
  Splunk software modifies a special token file.
* At the end of the 'indexed_csv_ttl' period Splunk software looks at the token
  file. If the token file shows that its CSV lookup table has been updated,
  Splunk software does not delete that CSV lookup table.
* Default: 300

indexed_csv_keep_alive_timeout = <positive integer>
* Sets the period, in seconds, for an activity check that Splunk software
  performs on indexed CSV lookup tables.
* When Splunk software performs a CSV lookup table check and finds that the
  table has been updated, it marks this activity on a token file. The token
  file update prevents the CSV lookup table from being deleted after
  'indexed_csv_ttl' seconds of inactivity have passed.
* Default: 30

indexed_csv_inprogress_max_timeout = <positive integer>
* Sets the maximum time, in seconds, for Splunk software to wait for ongoing
  indexing of a CSV lookup table to finish before failing any search that is
  awaiting the lookup table.
* Default: 300

max_reverse_matches = <integer>
* maximum reverse lookup matches (for search expansion)
* Default: 50

shared_provider_cache_size = <integer>
* Sets the cache size in bytes that the Splunk software uses when it shares CSV lookups
  across multiple lookup commands.
* The <integer> represents the size of the cache in bytes. This is incremented by the
  size of each in-memory file (in bytes) inserted into the shared cache.
* Set this to 0 to disable lookup sharing, defaults to 200MB (209715200 bytes).
* Do not change this value unless you are advised to do so by Splunk Support or
  a similar authority.
* Default: 209715200

input_errors_fatal = <boolean>
* This setting determines whether certain inputlookup or inputcsv command
  errors cause searches to fail or return a warning message.
* When set to true, this setting causes inputlookup and inputcsv errors to make
  an entire search fail. This happens even when the errors take place in a
  subsearch.
* When set to false, this setting returns a warning message for many
  inputlookup and inputcsv error conditions.
* Certain kinds of errors cause searches to fail no matter how this setting is
  set.
* Default: false

enable_splunkd_kv_lookup_indexing = <boolean>
* This setting determines whether KV Store lookup indexing is performed
  during bundle replication.
* When set to true, KVStore lookup indexing occurs on the main splunkd process,
  asynchronous to searches.
* When set to false, KV Store lookup indexing is triggered by the search
  process, potentially slowing search performance.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

enforce_auto_lookup_order = <boolean>
* true: LOOKUP-<name>s in props.conf are looked up in ASCII order by <name>.
* false: LOOKUP-<name>s in props.conf are looked up in random order.
* Default : false

[metadata]

bucket_localize_max_lookahead = <integer>
* This setting is only relevant when using remote storage.
* Specifies the maximum number of buckets the metadata command localizes
  for look-ahead purposes, in addition to the required bucket.
* Increasing this value can improve performance, at the cost of additional
  network/io/disk utilization.
* Valid values are 0-64. Any value larger than 64 will be set to 64. Other
  invalid values will be discarded and the default will be substituted.
* Default: 10

maxcount = <integer>
* The total number of metadata search results returned by the search head;
  after the 'maxcount' is reached, any additional metadata results received from
  the search peers will be ignored (not returned).
* A larger number incurs additional memory usage on the search head.
* Default: 100000

maxresultrows = <integer>
* The maximum number of results in a single chunk fetched by the metadata
  command
* A smaller value will require less memory on the search head in setups with
  large number of peers and many metadata results, though, setting this too
  small will decrease the search performance.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 10000

[metric_alerts]

* This stanza provides global settings for metric alerts.

condition_evaluation_interval = <integer>
* This setting provides the alert condition evaluation interval in minutes.
* Must be a number from 1 to 60.
* Default: 1

search_delay = <time specifier>
* Specifies a delay time for metric alert searches. It can be passed to
  the 'allow_skew' setting for the search.
* The search delay allows the search to wait for the latest indexed data.
* For example,
**  15s+ means search delay is at least 15s after the minute determined by
    `condition_evaluation_interval`.
**  15s+30s means search delay is a random number from 15s to 45s after the minute.
* Only change this setting if you are experiencing significant data latency
  issues.
* Default: 15s+

search_ttl = <positive integer>p
* Specifies the default life span of metric alert search jobs.
* The time to live is defined as "at least until the Nth periodic run of the
  search, where the period is defined by the 'condition_evaluation_interval'
  setting".
* Default: 2p

honor_action = <boolean>
* Specifies whether the Splunk software should change the 'search_ttl' to the
  action ttl when an action is triggered.
* If there are multiple actions, the largest action ttl wins.
* Default: false

[msearch]

chunk_size = <unsigned integer>
* Specifies the default value of the 'chunk_size' argument for the 'msearch'
  command.
* When you run an 'msearch' search, the search head returns batches of metric
  time series until the search result set is complete.
* This argument sets a limit for the number of metric time series that the
  search head can gather in a single batch from a single MSIDX file. For
  example, when 'chunk_size=100', the search head can return 100 metric time
  series worth of metric data points in batches until the search is complete.
* Lower this value when 'msearch' searches use too much memory, or when they
  infrequently return events.
* Larger 'chunk_size' values can improve search performance, with the tradeoff
  of using more memory per search.
* Smaller 'chunk_size' values can reduce search performance, with the tradeoff
  of using less memory per search.
* This setting cannot be set lower than 10.
* Default: 1000

target_per_timeseries = <unsigned integer>
* Specifies the maximum number of metric data points to retrieve per tsidx file
  associated with an 'msearch' query.
* When set to 0, this setting returns all data points available within the given
  time range for each time series.
* Default: 5

[mvexpand]

* This stanza allows for fine tuning of mvexpand search command.

max_mem_usage_mb = <non-negative integer>
* Overrides the default value for 'max_mem_usage_mb'.
* Limits the amount of RAM, in megabytes (MB), a batch of events or results will
  use in the memory of a search process.
* See definition in the [default] stanza for 'max_mem_usage_mb'
  for more details.
* Default: 500

[mvcombine]

* This stanza allows for fine tuning of mvcombine search command.

max_mem_usage_mb = <non-negative integer>
* Overrides the default value for 'max_mem_usage_mb'
* Limits the amount of RAM, in megabytes (MB), a batch of events or results
  use in the memory of a search process.
* See definition in the [default] stanza for 'max_mem_usage_mb'
  for more details.
* Default: 500

[outputlookup]

outputlookup_check_permission = <boolean>
* Specifies whether the outputlookup command should verify that users
  have write permissions to CSV lookup table files.
* outputlookup_check_permission is used in conjunction with the
  transforms.conf setting check_permission.
* The system only applies outputlookup_check_permission to .csv lookup
  configurations in transforms.conf that have check_permission=true.
* You can set lookup table file permissions in the .meta file for each lookup
  file, or through the Lookup Table Files page in Settings. By default, only
  users who have the admin or power role can write to a shared CSV lookup
  file.
* Default: false

create_context = [app|user|system]
* Specifies the context where the lookup file will be created for the first time.
  If there is a current application context and the following options,
  file will be created under:
  * app    : etc/apps/<app>/lookups
  * user   : etc/users/<user>/<app>/lookups
  Otherwise, file will be created under:
  * system : etc/system/local/lookups
* Default: app

[rare]

maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to the value set for 'maxresultrows' in the
  [searchresults] stanza, which is 50000 by default.
* Default: 50000

maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Default: 0

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Default: 0

[rest]

allow_reload = <boolean>
* Whether or not the '_reload' action is allowed for the 
  'rest' search command. 
* Default: false

[set]

maxresultrows = <integer>
* The maximum number of results the set command will use from each result
  set to compute the required set operation.
* Default: 50000

[sort]

maxfiles = <integer>
* Maximum files to open at once.  Multiple passes are made if the number of
  result chunks exceeds this threshold.
* Default: 64.

[spath]

extract_all = <boolean>
* Controls whether to respect automatic field extraction when spath is
  invoked manually.
* If set to "true", all fields are extracted regardless of settings.
* If set to "false", only fields used by later search commands are extracted.
* Default: true

extraction_cutoff = <integer>
* For 'extract-all' spath extraction mode, this setting applies extraction only
  to the first <integer> number of bytes. This setting applies both the auto kv
  extraction and the spath command, when explicitly extracting fields.
* Default: 5000

[stats|sistats]

approx_dc_threshold = <unsigned integer>
* Applies specifically to the estdc(x) function (approximate distinct count).
* When the Splunk software uses estdc(x) for commands such as stats, chart, and
  timechart, it does not use approximated results if the actual number of
  distinct values is below this threshold.
* To always use estimation, set 'approx_dc_threshold=1'.
* Note: When 'approx_dc_threshold=0' the Splunk software uses the default value
  for this setting (1000)
* Default: 1000

dc_digest_bits = <integer>
* The size of the digest used for approximating distinct count.
* The digest is configured to be 2 ^ 'dc_digest_bits' bytes in size.
* Must be >= 8 (128B) and <= 16 (64KB)
* Default: 10 (equivalent to 1KB)

default_partitions = <integer>
* Number of partitions to split incoming data into for parallel/multithreaded
  reduce.
* Default: 1

check_for_invalid_time = <boolean>
* Specifies whether the stats processor returns results for searches with 
  time-sensitive aggregations such as 'latest', 'latest_time', and 'rate' when 
  the '_time' or '_origtime' field is missing from input events. 
* When you run a search that fits this description: 
  * A setting of 'true' means that the stats processor does not return results 
    for that search.
  * A setting of 'false' means that the stats processor returns results for 
    that search that are likely incorrect or random.
  * In either case, the stats processor displays an info message that tells you 
    what has gone wrong and how it can be corrected.
* Default: false

list_maxsize = <integer>
* Maximum number of list items to emit when using the list() function
  stats/sistats
* Default: 100

max_keymap_rows = <integer>
* Limits the number of result rows that the search head stores in the key map
  during the map phase of a 'stats' operation. The Splunk software looks up
  rows stored in the map and combines them greedily prior to final reduce.
* 'Stats' performance is nonlinear with respect to the number of rows in
  the key map. Limiting the number of rows held can improve performance.
* Excess rows expunged from the key map remain in memory, subject to
  max_mem_usage_mb.
* A key map maps vectors of group-by keys (field values) to their associated
  rows. It is a feature of the 'stats' family of search commands.
* This setting applies particularly to high cardinality searches.
* This setting does not apply to 'streamstats' or 'eventstats' searches.
* Default: 1000000

maxmem_check_freq = <integer>
* How frequently, in number of rows, to check if the in-memory data
  structure size limit is exceeded, as specified by the
  'max_mem_usage_mb' setting.
* Default: 50000

maxresultrows = <integer>
* Maximum number of rows allowed in the process memory.
* When the search process exceeds 'max_mem_usage_mb' and 'maxresultrows',
  data is sent to the disk.
* If not specified, uses the value set for 'maxresultrows' in the
  [searchresults] stanza, which is 50000 by default.
* Default: 50000

max_stream_window = <integer>
* For the streamstats command, the maximum allow window size.
* Default: 10000

maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* When set to "0": Specifies an unlimited number of values.
* Default: 0

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* When set to "0": Specifies an unlimited number of values.
* Default: 0

max_valuemap_bytes = <integer>
* For the sistats command, the maximum encoded length of the valuemap,
  per result written out.
* If limit is exceeded, extra result rows are written out as needed.
* 0 = no limit per row
* Default: 100000

natural_sort_output = <boolean>
* Whether or not to perform a natural sort on the output of 'stats'
  if the output size is greater than or equal to the 'maxresultrows'
  setting.
* A natural sort means that numbers are sorted numerically and non-numbers
  are sorted lexicographically.
* Default: true

partitions_limit = <integer>
* Maximum number of partitions to split into that can be specified with the
  'partitions' option.
* When exceeded, the number of partitions is reduced to this limit.
* Default: 100

perc_method = nearest-rank|interpolated
* Which method to use for computing percentiles (and medians=50 percentile).
  * nearest-rank picks the number with 0-based rank R =
    floor((percentile/100)*count)
  * interpolated means given F = (percentile/100)*(count-1),
    pick ranks R1 = floor(F) and R2 = ceiling(F).
    Answer = (R2 * (F - R1)) + (R1 * (1 - (F - R1)))
* See wikipedia percentile entries on nearest rank and "alternative methods"
* Default: nearest-rank

perc_digest_type = rdigest|tdigest
* Which digest algorithm to use for computing percentiles
  ( and medians=50 percentile).
  * rdigest picks the rdigest_k, rdigest_maxnodes and perc_method properties.
  * tdigest picks the tdigest_k and tdigest_max_buffer_size properties.
* Default: tdigest

sparkline_maxsize = <integer>
* Maximum number of elements to emit for a sparkline
* Default: The value of the 'list_maxsize' setting

sparkline_time_steps = <time-step-string>
* Specify a set of time steps in order of decreasing granularity. Use an
  integer and one of the following time units to indicate each step.
  * s = seconds
  * m = minutes
  * h = hours
  * d = days
  * month
* A time step from this list is selected based on the <sparkline_maxsize>
  setting.
* The lowest <sparkline_time_steps> value that does not exceed the maximum number
* of bins is used.
* Example:
  * If you have the following configurations:
  * <sparkline_time_steps> = 1s,5s,10s,30s,1m,5m,10m,30m,1h,1d,1month
  * <sparkline_maxsize> = 100
  * The timespan for 7 days of data is 604,800 seconds.
  * Span = 604,800/<sparkline_maxsize>.
  * If sparkline_maxsize = 100, then
    span = (604,800 / 100) = 60,480 sec == 1.68 hours.
  * The "1d" time step is used because it is the lowest value that does not
    exceed the maximum number of bins.
* Default: 1s,5s,10s,30s,1m,5m,10m,30m,1h,1d,1month


NOTE: The following are rdigest and tdigest settings.
      rdigest is a data structure used to compute approximate order statistics
      (such as median and percentiles) using sublinear space.

rdigest_k = <integer>
* rdigest compression factor
* Lower values mean more compression
* After compression, number of nodes guaranteed to be greater than or equal to
  11 times k.
* Must be greater than or equal to 2.
* Default: 100

rdigest_maxnodes = <integer>
* Maximum rdigest nodes before automatic compression is triggered.
* When set to "1": Specifies to automatically configure based on k value.
* Default: 1

tdigest_k = <integer>
* tdigest compression factor
* Higher values mean less compression, more mem usage, but better accuracy.
* Must be greater than or equal to 1.
* Default: 50

tdigest_max_buffer_size = <integer>
* Maximum number of elements before automatic reallocation of buffer storage
  is triggered.
* Smaller values result in less memory usage but is slower.
* Very small values (<100) are not recommended as they will be very slow.
* Larger values help performance up to a point after which it actually
  hurts performance.
* Recommended range is around 10tdigest_k to 30tdigest_k.
* Default: 1000

tmpfile_compression = <string>
* temporary file compression format, used for stats tmp files only
* "lz4" indicates use of the lz4 format
* "zstd" indicates use of the zstd format
* "none" indicates use of no compression
* Default: lz4

tmpfile_compression_level = <int>
* Temporary file compression format level.
* If tmpfile_compression is lz4 or zstd, this will indicate the compression level.
* For zstd higher numbers indicate higher speed, and lower compression ratios.
* For lz4 higher numbers indicate lower speed, and higher compression ratios.
* Default: 0

min_chunk_size_kb = <integer>
* Specifies the minimum size of a chunk of intermediate results during 'stats' 
  search processing. See 'chunk_size_double_every' for additional details.
* This affects the minimum amount of ram required for low-cardinality 'stats'
  searches as well as the size and number of the files produced when that
  data is spilled to disk due to memory pressure.
* Adjust this value only when such an adjustment is absolutely necessary. 
  * If the 'stats' process must use less memory in low cardinality cases, 
    reduce this value at the cost of increased filesystem inode usage and
    possibly decreased search performance.
  * If the 'stats' process must use fewer filesystem inodes and create larger
    data chunks even for small searches, increase this value at the cost of
    memory in low cardinality searches.
* Default: 64

max_chunk_size_kb = <integer>
* Specifies the maximum size of a chunk of intermediate results during
  'stats' search processing. See 'chunk_size_double_every' for additional 
  details.
* By limiting the maximum chunk size, this setting affects the number of data
  chunks that the 'stats' processor can create when intermediate data is 
  spilled to disk due to memory pressure.  
* Increase this setting if you need to reduce the filesystem inode usage of your
  'stats' processes.
* This setting should never exceed 1/20th of 'max_mem_usage_mb'.
* Default: 4096

chunk_size_double_every = <integer>
* The 'stats' processor stores intermediate data for 'stats' searches in data 
  chunks. These intermediate data chunks must have a size between 
  'min_chunk_size_kb' and 'max_chunk_size_kb'.
* At the start of a stats job, the 'stats' processor sets the chunk size 
  at the 'min_chunk_size_kb' limit. However, when the number of chunks it 
  creates reaches the threshold set by 'chunk_size_double_every', the 'stats' 
  processor doubles the size of each chunk it creates thereafter. The 'stats' 
  processor continues doubling the chunk size it creates each time it creates 
  an additional number of chunks equivalent to 'chunk_size_double_every'. The 
  'stats' processor stops doubling the chunk size when it reaches the 
  'max_chunk_size_kb' limit.
* This behavior lets the 'stats' processor begin 'stats' processes with small 
  data chunks, which reduces ram usage on low cardinality searches. It also 
  lets the 'stats' processor increase the chunk size when it spills a lot 
  of data to disk, which reduces filesystem inode usage for high cardinality
  searches.
* To minimize allocation of unused memory, increase the 
  'chunk_size_double_every' threshold to keep the chunks smaller for a longer 
  amount of time. 
* To reduce filesystem inode usage, decrease the 'chunk_size_double_every'
  threshold so the 'stats' processor reaches the 'max_chunk_size_kb' limit 
  quicker. This lowers the number of temporary files created by the search 
  process.
* Default: 100

[top]

maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, uses the value set for 'maxresultrows' in the
  [searchresults] stanza, which is 50000 by default.
* Default: 50000

maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Default: 100000

maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Default: 1000

[transactions]

maxopentxn = <integer>
* Specifies the maximum number of not yet closed transactions to keep in the
  open pool before starting to evict transactions.
* Default: 5000

maxopenevents = <integer>
* Specifies the maximum number of events (which are) part of open transactions
  before transaction eviction starts happening, using LRU policy.
* Default: 100000

[tscollect]

squashcase = <boolean>
* The default value of the 'squashcase' argument if not specified by the command
* Default: false

keepresults = <boolean>
* The default value of the 'keepresults' argument if not specified by the command
* Default: false

optimize_max_size_mb = <unsigned integer>
* The maximum size in megabytes of files to create with optimize
* Specify 0 for no limit (may create very large tsidx files)
* Default: 256

[tstats]

allow_old_summaries = <boolean>
* Whether or not the 'tstats' command, when run on an accelerated datamodel,
  confirms that the datamodel search in each bucket's summary metadata is
  considered to be up to date with the current datamodel search.
* Only bucket summaries that are considered "up to date" are used to
  deliver results.
* This value is the default value of the 'allow_old_summaries' setting,
  if that argument is not specified in the command.
* When set to "false", 'tstats' always confirms that the datamodel
  search in each bucket's summary metadata is considered up to date with the
  current datamodel search.
* When set to "true", 'tstats' delivers results even from bucket summaries
  that are considered out of date with the current datamodel.
* Default: false

apply_search_filter = <boolean>
* Whether or not 'tstats' applies role-based search filters when users
  run the command on normal index data.
* If set to "true", 'tstats' applies role-based search filters.
* NOTE: Regardless of this setting value, 'tstats' never applies search
  filters to data collected with 'tscollect', or with datamodel acceleration.
* Default: true

bucket_localize_max_lookahead = <integer>
* This setting is only relevant when using remote storage.
* Specifies the maximum number of buckets the tstats command localizes for
  look-ahead purposes, in addition to the required bucket.
* Increasing this value can improve performance, at the cost of additional
  network/io/disk utilization.
* Valid values are 0-64. Any value larger than 64 will be set to 64. Other
  invalid values will be discarded and the default will be substituted.
* Default: 10

chunk_size = <unsigned integer>
* ADVANCED: The default value of 'chunk_size' arg if not specified by
  the command
* This argument controls how many events are retrieved at a time within a
  single TSIDX file when answering queries
* Consider lowering this value if tstats queries are using too much memory
  (cannot be set lower than 10000)
* Larger values will tend to cause more memory to be used (per search) and
  might have performance benefits.
* Smaller values will tend to reduce performance and might reduce memory used
  (per search).
* Altering this value without careful measurement is not advised.
* Default: 10000000

include_events_omitted_when_filtering_numeric_values = <boolean>
* When you run a 'tstats' search that filters numeric values of one or more
  fields, it might omit events where those fields do not exist or have NULL
  values from the search results.
* This setting specifies whether this omission of events takes place when
  'tstats' filters out events based on numeric values of fields.
* A setting of 'true' means that when the 'tstats' command filters out events
  where a field has a specific numeric value, it also matches events where
  that field is not present.
* A setting of 'false' means that when the 'tstats' command filters out events
  where a field has a specific numeric value, it also omits events where that
  field is not present.
* Default: false

summariesonly = <boolean>
* Whether or not 'tstats' employs a mixed mode when running against an
  accelerated datamodel.
* This value is the default value for the 'summariesonly' setting, if that
  argument is not specified in the command.
* In mixed mode, 'tstats' falls back to search if it encounters missing
  tsidx data.
* If set to "true", 'tstats' overrides this mixed mode, and only generates
  results from available tsidx data, which might be incomplete.
* If set to "false", 'tstats' uses mixed mode, and falls back to search for
  tsidx data that is missing.
* Default: false

warn_on_missing_summaries = <boolean>
* ADVANCED: Only meant for debugging 'summariesonly=true' searches on
  accelerated datamodels.
* When set to "true", search will issue a warning for a tstats 'summariesonly=true'
  search for the following scenarios:
    a) If there is a non-hot bucket that has no corresponding datamodel
    acceleration summary whatsoever.
    b) If the bucket's summary does not match with the current datamodel
    acceleration search.
* Default: false

batch_search_max_pipeline = <integer>
* Controls the number of tstats/mstats search pipelines launched at the
  indexer during batch search.
* Increase the number of search pipelines to improve search performance, at
  the cost of a concurrent increase in thread and memory usage.
* This value applies only to searches that run on remote indexers.
* Default: 1

use_bloomfilter = <boolean>
* Specifies whether the Splunk software uses Bloom filters to optimize searches.
* When set to 'true', the Splunk software consults 'bloomfilter' files that may 
  be present in index buckets to determine whether those buckets contain 
  relevant search terms, thereby enabling the software to skip search of tsidx 
  files that do not have relevant search terms. In this way, Bloom filter usage 
  can improve search performance.
* When set to 'false', the Splunk software searches tsidx summary files without 
  filtering out tsidx files that do not have relevant terms.  
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

update_datamodel_usage_stats = <boolean>
* Specifies whether or not Splunk software can call the summary touch endpoint
  when it detects that it is using summaries from an accelerated data model.
* The summary touch endpoint is an internal endpoint that helps track how
  frequently a summary is being used, if ever.
* When 'update_datamodel_usage_stats' is set to "false", Splunk software skips this
  endpoint call.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

[mstats]

time_bin_limit = <unsigned integer>
* Applies only to mstats search jobs.
* Controls how many time bins can be allocated within a single TSIDX file when
  the search head processes mstats search jobs that group results by time (by
  using 'span', for example).
* When this setting is set to 0, there is no time bin limit for qualifying
  mstats search jobs. Removing the time bin limit can cause the Splunk platform
  to run out of memory when you run those jobs.
* Lower this value when your mstats search jobs are using too much memory per
  search.
* Raise this value if your mstats searches return errors when they have wide
  time ranges or their group-by spans are too small.
* The Splunk platform estimates the number of time bins a search requires by
  dividing its time range by its group-by span. If range/span >
  'time_bin_limit', it outputs an error. This could happen with a search with a
  time range of a year and a span of '1s', for example.
  * The search time range is determined through the 'earliest' and 'latest'
    values for the search.
  * Some types of searches, such as 'all time' searches, do not have 'earliest'
    and 'latest' values. In those cases the Splunk platform checks within each
    single TSIDX file to derive a time range for the search.
* Default: 1000000

use_bloomfilter = <boolean>
* Specifies whether the Splunk software uses Bloom filters to optimize searches.
* When set to 'true', the Splunk software consults 'bloomfilter' files that may 
  be present in index buckets to determine whether those buckets contain 
  relevant search terms, thereby enabling the software to skip search of tsidx 
  files that do not have relevant search terms. In this way, Bloom filter usage 
  can improve search performance.
* When set to 'false', the Splunk software searches tsidx summary files without 
  filtering out tsidx files that do not have relevant terms.  
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true

[typeahead]

cache_ttl_sec = <integer>
* How long, in seconds, the typeahead cached results are valid.
* Default 300

fetch_multiplier = <integer>
* A multiplying factor that determines the number of terms to fetch from the
  index, fetch = fetch_multiplier x count.
* Default: 50

max_concurrent_per_user = <integer>
* The maximum number of concurrent typeahead searches per user. Once this
  maximum is reached only cached typeahead results might be available
* Default: 3

maxcount = <integer>
* Maximum number of typeahead results to find.
* Default: 1000

max_servers = <integer>
* Specifies the maximum number of remote search servers that are used in 
  addition to the search head for the purpose of providing typeahead 
  functionality. 
* When properly set, 'max_servers' minimizes the workload impact of 
  running typeahead search jobs in a clustering deployment. If your target 
  indexes are evenly distributed among search servers, use the default setting 
  or a similarly low number. 
* For load balancing, the choice of remote search servers for typeahead 
  searches is random. 
* When set to "0": There is no limit and all available search servers 
  are used for typeahead search jobs.
* Default: 2

min_prefix_length = <integer>
* The minimum length of the string prefix after which to provide typeahead.
* Default: 1

use_cache = <boolean>
* Specifies whether the typeahead cache will be used if use_cache is not
  specified in the command line or endpoint.
* Default: true or 1

banned_segments = <semicolon-separated-list>
* Specifies a semicolon-separated list of segments. The 'typeahead' search
  processor filters events with these segments out of the results it returns.
* A best practice is to bracket each listed segment with wildcard asterisks
  ('*').
  * For example, if you set 'banned_segments = *password*;*SSN*', the
    'typeahead' processor removes any event that contains the string 'password'
    or 'SSN' from the final result set.
* No default

[typer]

maxlen = <integer>
* In eventtyping, pay attention to first <integer> characters of any attribute
  (such as _raw), including individual tokens. Can be overridden by supplying
  the typer operator with the argument maxlen (for example,
  "|typer maxlen=300").
* Default: 10000

[xyseries]

* This stanza allows for fine tuning of xyseries search command.

max_mem_usage_mb = <non-negative integer>
* Overrides the default value for 'max_mem_usage_mb'
* See definition in [default] max_mem_usage_mb for more details



GENERAL SETTINGS


# This section contains the stanzas for a variety of general settings.

[auto_summarizer]

allow_event_summarization = <boolean>
* Whether auto summarization of searches whose remote part returns events
  rather than results will be allowed.
* Default: false

cache_timeout = <integer>
* The minimum amount of time, in seconds, to cache auto summary details and
  search hash codes.
* The cached entry expires randomly between 'cache_timeout' and
  2 * "cache_timeout" seconds.
* Default: 600 (10 minutes)

detailed_dashboard = <boolean>
* Turn on/off the display of both normalized and regular summaries in the
  Report Acceleration summary dashboard and details.
* Default: false

maintenance_period = <integer>
* The period of time, in seconds, that the auto summarization maintenance
  happens
* Default: 1800 (30 minutes)

max_run_stats = <integer>
* Maximum number of summarization run statistics to keep track and expose via
  REST.
* Default: 48

max_verify_buckets = <integer>
* When verifying buckets, stop after verifying this many buckets if no failures
  have been found
* 0 means never
* Default: 100

max_verify_bucket_time = <integer>
* Maximum time, in seconds, to spend verifying each bucket.
* Default: 15

max_verify_ratio = <number>
* Maximum fraction of data in each bucket to verify
* Default: 0.1 (10%)

max_verify_total_time = <integer>
* Maximum total time in seconds to spend doing verification, regardless if any
  buckets have failed or not
* When set to "0": Specifies no limit.
* Default: 0

normalized_summaries = <boolean>
* Turn on/off normalization of report acceleration summaries.
* Default: true

return_actions_with_normalized_ids = [yes|no|fromcontext]
* Report acceleration summaries are stored under a signature/hash which can be
  regular or normalized.
  * Normalization improves the re-use of pre-built summaries but is not
    supported before 5.0. This config will determine the default value of how
    normalization works (regular/normalized)
  * When set to 'fromcontext': Specifies that the end points and summaries
    would be operating based on context.
* Normalization strategy can also be changed via admin/summarization REST calls
  with the 'use_normalization' argument, which can take the values
  "yes"/"no"/"fromcontext"
* Default: fromcontext

search_2_hash_cache_timeout = <integer>
* The amount of time, in seconds, to cache search hash codes
* Default: The value of the 'cache_timeout' setting

shc_accurate_access_counts = <boolean>
* Only relevant if you are using search head clustering
* Turn on/off to make acceleration summary access counts accurate on the
  captain.
* by centralizing

verify_delete = <boolean>
* Should summaries that fail verification be automatically deleted?
* Default: false

disable_transparent_mode_federation = <boolean>
* Disable fowarding summarization searches to the remote search head for
  federated search transparent mode.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: false

[export]

add_offset = <boolean>
* Add an offset/row number to JSON streaming output
* Default: true

add_timestamp = <boolean>
* Add a epoch time timestamp to JSON streaming output that reflects the time
  the results were generated/retrieved
* Default: false

[extern]

perf_warn_limit = <integer>
* Warn when external scripted command is applied to more than this many
  events
* When set to "0": Specifies for no message (message is always INFO level)
* Default: 10000

[auth]

* Settings for managing auth features.

enable_install_apps = <boolean>
* Whether or not the "install_apps" capability is enabled for app installation,
  uninstallation, creation, and update.
* If set to "true", you must be assigned a role that holds the 'install_apps'
  capability to access the 'apps/local' REST endpoint for app installation,
  uninstallation, creation, and update.
* If set to "false", you must be assigned a role that holds either the
  'admin_all_objects' or 'edit_local_apps' capabilities for app installation,
  uninstallation, creation, and update.
* Default: false

[http_input]

max_number_of_tokens = <unsigned integer>
* The maximum number of tokens reported by logging input metrics.
* Default: 10000

max_content_length = <integer>
* The maximum length, in bytes, of HTTP request content that is
  accepted by the HTTP Event Collector server.
* Default: 838860800 (~ 800 MB)

max_number_of_ack_channel = <integer>
* The maximum number of ACK channels accepted by HTTP Event Collector
  server.
* Default: 1000000 (~ 1 million)

max_number_of_acked_requests_pending_query = <integer>
* The maximum number of ACKed requests pending query on HTTP Event
  Collector server.
* Default: 10000000 (~ 10 million)

max_number_of_acked_requests_pending_query_per_ack_channel = <integer>
* The maximum number of ACKed requested pending query per ACK channel on HTTP
  Event Collector server..
* Default: 1000000 (~ 1 million)

metrics_report_interval = <integer>
* The interval, in seconds, of logging input metrics report.
* Default: 60 (1 minute)

[indexpreview]

max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Default: 2000000 (2 MB)

max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Default: 2500

soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Default: 100

[inputproc]

file_tracking_db_threshold_mb = <integer>
* The size, in megabytes, at which point the file tracking
  database, otherwise known as the "fishbucket" or "btree", rolls over
  to a new file.
* The rollover process is as follows:
  * After the fishbucket reaches 'file_tracking_db_threshold_mb' megabytes
    in size, a new database file is created.
  * From this point forward, the processor writes new entries to the
    new database.
  * Initially, the processor attempts to read entries from the new database,
    but upon failure, falls back to the old database.
  * Successful reads from the old database are written to the new database.
* NOTE: During migration, if this setting doesn't exist, the initialization
  code in splunkd triggers an automatic migration step that reads in the
  current value for "maxDataSize" under the "_thefishbucket" stanza in
  indexes.conf and writes this value into etc/system/local/limits.conf.

learned_sourcetypes_limit = <0 or positive integer>
* Limits the number of entries added to the learned app for performance
  reasons.
* If nonzero, limits two properties of data added to the learned app by the
  file classifier. (Code specific to monitor:: stanzas that auto-determines
  sourcetypes from content.)
  * The number of sourcetypes added to the learned app's props.conf file will
    be limited to approximately this number.
  * The number of file-content fingerprints added to the learned app's
    sourcetypes.conf file will be limited to approximately this number.
* The tracking for uncompressed and compressed files is done separately, so in
  some cases this value may be exceeded.
* This limit is not the recommended solution for auto-identifying sourcetypes.
  The usual  best practices are to set sourcetypes in input stanzas, or
  alternatively to apply them based on filename pattern in props.conf
  [source::<pattern>] stanzas.
* Default: 1000

max_fd = <integer>
* Maximum number of file descriptors that a ingestion pipeline in Splunk
  will keep open, to capture any trailing data from files that are written
  to very slowly.
* Note that this limit will be applied per ingestion pipeline. For more
  information about multiple ingestion pipelines see parallelIngestionPipelines
  in the server.conf.spec file.
* With N parallel ingestion pipelines the maximum number of file descriptors
  that can be open across all of the ingestion pipelines will be N * max_fd.
* Default: 100

monitornohandle_max_heap_mb = <integer>
* The maximum amount of memory, in megabytes, used by the MonitorNoHandle
  modular input in user mode.
* The memory of this input grows in size when the data being produced
  by applications writing to monitored files comes in faster than the Splunk
  instance can accept it.
* When set to 0, the heap size (memory allocated in the modular input) can grow
  without limit.
* If this size is limited, and the limit is encountered, the input drops
  some data to stay within the limit.
* This setting is valid only on Windows machines.
* Default: 0

tailing_proc_speed = <integer>
* REMOVED.  This setting is no longer used.

monitornohandle_max_driver_mem_mb = <integer>
* The maximum amount of NonPaged memory, in megabytes, used by the kernel
  driver of the MonitorNoHandle modular input.
* The memory of this input grows in size when the data being produced
  by applications writing to monitored files comes in faster than the Splunk
  instance can accept it.
* When set to 0, the NonPaged memory size (memory allocated in the kernel
  driver of the modular input) can grow without limit.
* If this size is limited, and the limit is encountered, the input drops
  some data to stay within the limit.
* This setting is valid only on Windows machines.
* Default: 0

monitornohandle_max_driver_records = <integer>
* The maximum number of in-memory records that the kernel module for
  the MonitorNoHandle modular input stores.
* This setting controls memory growth by limiting the amount of memory
  that the MonitorNoHandle input kernel module uses.
* When 'monitornohandle_max_driver_mem_mb' is set to > 0, this
  setting is ignored.
* The 'monitornohandle_max_driver_mem_mb' and
  'monitornohandle_max_driver_records' settings are mutually exclusive.
* If the limit is encountered, the input drops some data
  to remain within the limit.
* Default: 500.

time_before_close = <integer>
* MOVED.  This setting is now configured per-input in inputs.conf.
* Specifying this setting in limits.conf is DEPRECATED, but overrides
  the setting for all inputs, for now.

[journal_compression]

threads = <integer>
* Specifies the maximum number of indexer threads which will be work on
  compressing hot bucket journal data.
* This setting does not typically need to be modified.
* Default: The number of CPU threads of the host machine

[kv]

avg_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that the average (over search
  results) execution time of a key-value pair extractor will be allowed to take
  before warning. Once the average becomes larger than this amount of time a
  warning will be issued
* Default: 500 (.5 seconds)

limit = <integer>
* The maximum number of fields that an automatic key-value field extraction
  (auto kv) can generate at search time.
* Increase this setting if you want to ensure that the field picker in the Splunk Web
  search page displays all fields.
* Set this value to 0 if you do not want to limit the number of fields
  that can be extracted at search time.
* Default: 100

indexed_kv_limit = <integer>
* The maximum number of fields that can be extracted at index time from a data source.
* This setting does not prevent a search from extracting indexed fields that
  the search needs and explicitly requests.
* The Splunk platform imposes this limit for each index bucket.
* Fields that can be extracted at index time include default fields, custom fields,
  and structured data header fields.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype', 'linecount',
  'splunk_server', and 'splunk_server_group' do not count against this limit and are
  always returned.
* Increase this setting if, for example, you have indexed data with a large
  number of columns and want to ensure that the field picker in the Splunk Web search
  page displays all fields.
* This setting is different from the 'limit' setting in that it limits field
  extraction in different phases of data processing. Previously, the 'limit'
  setting handled both index-time and search-time field extraction limits, and
  to maintain backward compatibility, both settings work in concert.
* The Splunk platform always uses the higher value for either setting to enforce
  index-time field extraction limits.
  * For example, if you set 'indexed_kv_limit' to "500" and 'limit' to "200",
    then the platform limits indexed-time field extractions to 500 and
    search-time field extractions to 200.
  * If you set 'indexed_kv_limit' to "200" and 'limit' to "500", then the
    platform limits both index-time and search-time field extraction to 500.
* Set this value to 0 if you do not want to limit the number of fields
  that can be extracted at index time.
* Default: 200

maxchars = <integer>
* When non-zero, truncate _raw to this size and then do auto KV.
* Default: 10240 characters

maxcols = <integer>
* When non-zero, the point at which kv should stop creating new fields.
* Default: 512

max_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that a key-value pair extractor
  will be allowed to take before warning. If the extractor exceeds this
  execution time on any event a warning will be issued
* Default: 1000 (1 second)

[kvstore]

max_accelerations_per_collection = <unsigned integer>
* The maximum number of accelerations that can be assigned to a single
  collection
* Valid values range from 0 to 50
* Default: 10

max_documents_per_batch_save = <unsigned integer>
* The maximum number of documents that can be saved in a single batch
* Default: 1000


max_fields_per_acceleration = <unsigned integer>
* The maximum number of fields that can be part of a compound acceleration
  (i.e. an acceleration with multiple keys)
* Valid values range from 0 to 50
* Default: 10

max_queries_per_batch = <unsigned integer>
* The maximum number of queries that can be run in a single batch
* Default: 1000

max_rows_in_memory_per_dump = <unsigned integer>
* The maximum number of rows in memory before flushing it to the CSV projection
  of KVStore collection.
* Default: 200

max_rows_per_query = <unsigned integer>
* The maximum number of rows that will be returned for a single query to
  a collection.
* If the query returns more rows than the specified value, then returned
  result set will contain the number of rows specified in this value.
* Default: 50000

max_size_per_batch_result_mb = <unsigned integer>
* The maximum size, in megabytes (MB), of the result set from a set of
  batched queries
* Default: 100

max_size_per_batch_save_mb = <unsigned integer>
* The maximum size, in megabytes (MB), of a batch save query.
* Default: 50

max_size_per_result_mb = <unsigned integer>
* The maximum size, in megabytes (MB), of the result that will be
  returned for a single query to a collection.
* Default: 50

max_threads_per_outputlookup = <unsigned integer>
* The maximum number of threads to use during outputlookup commands on KVStore
* If the value is 0 the thread count will be determined by CPU count
* Default: 1

[kvstore_migration]

periodic_timer_interval = <integer>
* The interval, in seconds, at which a search head cluster member polls
  the status of a KV Store migration or upgrade after the start of that migration or upgrade.
* The minimum accepted value is 1.
* The maximum accepted value is 60.
* Default: 10

max_failed_status_unchanged_count = <integer>
* The maximum number of intervals, as determined by
  the 'periodic_timer_interval' setting, that a search head cluster member's
  status can remain in a failed state during a KV Store migration or upgrade before the member retries
  that migration or upgrade. If the number of intervals has been exceeded,
  then the member is marked as aborted.
* Once this limit is reached, the member aborts the migration or upgrade.
* Default: 30

version_upgrade_max_start_retries = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 10

version_upgrade_max_retries = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 4

version_upgrade_max_command_time_ms = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 60000

version_upgrade_time_duration_block_s = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 1

version_upgrade_polling_max_wait_ms = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 26460000

version_upgrade_polling_version_max_wait_ms = <unsigned integer> 
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 4800000

version_upgrade_polling_interval_ms = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 100

version_upgrade_terminate_timeout_s = <unsigned integer>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 600

version_upgrade_backup_disabled = <boolean>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* This setting turns off the creation of a KV store backup before an upgrade.
* If set to "true" and there's a failure, you can't roll back to a previous back up.
* Default: false

version_upgrade_keep_backups = <boolean>
* This is an internal setting.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* After successfully upgrading the KV store, does not clean up the backup that 
  was created on the local disk in $SPLUNK_DB/kvstore/mongo_backup.
* Default: true

[input_channels]

max_inactive = <integer>
* The Maximum number of inactive input channel configurations to keep in cache.
* Each source/sourcetype/host combination requires an independent input
  channel, which contains all relevant settings for ingestion.
* When set to 'auto', the Splunk platform will tune this setting based on the
  physical RAM present in the server at startup.
* Increasing this number might help with low ingestion throughput when there
  are no blocked queues (i.e., no 'blocked=true' events for 'group=queue' in
  metrics.log), and splunkd is creating a very high number of new input
  channels (see the value of 'new_channels' in
  'group=map, name=pipelineinputchannel', also in metrics.log), usually in the
  order of thousands. However, this action is only effective when those input
  channels could have been reused: for example, the source, sourcetype, and
  host fields are not generated randomly and tend to be reused within the
  lifetime of cached channel entries.
* Default: auto

lowater_inactive = <integer>
* Size of the inactive input channel cache after which entries will be
  considered for recycling: having its memory reused for storing settings
  for a different input channel.
* When set to 'auto', the Splunk platform will tune this setting value based
  on the value of 'max_inactive'.
* Default: auto

inactive_eligibility_age_seconds = <integer>
* Time, in seconds, after which an inactive input channel will be removed from
  the cache to free up memory.
* Default: 330

disable_inactive_channels = <boolean>
* Whether or not splunkd disables the inactive input channel cache.
* A value of "true" means splunkd disables the inactive input channel cache and
  maintains the active input channel cache.
* Turning off the inactive input channel cache provides the best
  ingestion performance.
* A value of "false" means splunkd enables the inactive input channel cache.
* Default: true

active_eligibility_age = <integer>
* The time, in seconds, after which splunkd removes an idle input
  channel from the active channel cache to free up memory.
* Default: 3600

[ldap]

allow_multiple_matching_users = <boolean>
* Whether or not Splunk Enterprise allows login when it finds multiple
  entries in LDAP with the same value for the 'username' attribute.
* When multiple entries are found, it chooses the first Distinguished Name
  (DN) lexicographically.
* Setting this to false is more secure as it does not allow any ambiguous
  login, but users with duplicate entries will be unable to login.
* Default: true

max_users_to_precache = <unsigned integer>
* The maximum number of users that are pre-cached from LDAP after
  reloading auth.
* Set this to 0 to turn off pre-caching.

[metrics]

interval = <integer>
* Number of seconds between logging splunkd metrics to metrics.log.
* Minimum of 10.
* Default (Splunk Enterprise): 60
* Default (Splunk Universal Forwarder): 60

maxseries = <integer>
* The number of series to include in the per_x_thruput reports in metrics.log.
* Default: 10

[metrics:tcpin_connections]

aggregate_metrics = <boolean>
* For each splunktcp connection from forwarder, splunk logs metrics information
  every metrics interval.
* When there are large number of forwarders connected to indexer, the amount of
  information logged can take lot of space in metrics.log. When set to true, it
  will aggregate information across each connection and report only once per
  metrics interval.
* Default: false

suppress_derived_info = <boolean>
* For each forwarder connection, _tcp_Bps, _tcp_KBps, _tcp_avg_thruput,
  _tcp_Kprocessed is logged in metrics.log.
* This can be derived from kb. When set to true, the above derived info will
  not be emitted.
* Default: false

idle_connections_log_frequency =  <integer>
* For each splunktcp connection from forwarder, splunk logs metrics information
  every metrics interval "[metrics]->interval". There may be large number of
  idle connections. Idle connection received zero bytes during last
  "[metrics]->interval"*idle_connections_log_frequency seconds.
* Setting to skip logging idle connection metrics to metrics.log.
* A value of 1 means always log idle connection metrics to metrics.log.
* Default: 1

[pdf]

max_rows_per_table = <unsigned integer>
* The maximum number of rows that will be rendered for a table within
  integrated PDF rendering.
* Default: 1000

render_endpoint_timeout = <unsigned integer>
* The number of seconds after which the pdfgen render endpoint will timeout if
  it has not yet finished rendering the PDF output.
* Default: 3600 (60 minutes)

render_chromium_timeout = <unsigned integer>
* The number of seconds after which the Chromium engine will timeout if the
  engine still needs to render the dashboard output.
  This setting does not impact the render_chromium_screenshot_delay.
* Default: 30

render_chromium_screenshot_delay = <unsigned integer>
* The number of seconds after which the Chromium engine takes a screenshot
  of a dashboard to render before exporting the dashboard. 
  This setting does not impact the render_chromium_timeout setting.
* Default: 0

[realtime]

# Default options for indexer support of real-time searches
# These can all be overridden for a single search via REST API arguments

alerting_period_ms = <integer>
* The time, in milliseconds, to wait between triggering alerts during a
  realtime search.
* This setting limits the frequency at which alerts are triggered during
  realtime search.
* A value of 0 means that alerts are triggered for every batch of events
  that are read. In dense realtime searches with expensive alerts, this
  can overwhelm the alerting system.
* Precedence: Searchhead
* Default: 0

blocking = <boolean>
* Whether or not the indexer should block if a queue is full.
* Default: false

default_backfill = <boolean>
* Whether or not windowed real-time searches should backfill events.
* Default: true

enforce_time_order = <boolean>
* Whether or not real-time searches should ensure that events are sorted in
  ascending time order.
* Splunk Web automatically reverses the order that it displays events for
  real-time searches. If set to "true", the latest events will be shown first.
* Default: true

indexfilter = <boolean>
* Whether or not the indexer should pre-filter events for efficiency.
* Default: 1 (true)

indexed_realtime_update_interval = <integer>
* When you run an indexed realtime search, the list of searchable buckets
  needs to be updated. If the Splunk software is installed on a cluster,
  the list of allowed primary buckets is refreshed. If not installed on
  a cluster, the list of buckets, including any new hot buckets are refreshed.
  This setting controls the interval for the refresh. The setting must be
  less than the "indexed_realtime_disk_sync_delay" setting. If your realtime
  buckets transition from new to warm in less time than the value specified
  for the "indexed_realtime_update_interval" setting, data will be skipped
  by the realtime search in a clustered environment.
* Precedence: Indexers
* Default: 30

indexed_realtime_cluster_update_interval = <integer>
* This setting is deprecated. Use the "indexed_realtime_update_interval"
  setting instead.
* While running an indexed realtime search on a cluster, the list of allowed
  primary buckets is updated. This controls the interval at which the list
  is updated. This value must be less than the
  'indexed_realtime_disk_sync_delay' setting. If your buckets transition from
  Brand New to warm in less than the interval time specified, indexed
  realtime will lose data in a clustered environment.
* Precedence: Indexers
* Default: 30

indexed_realtime_default_span = <integer>
* An indexed realtime search is made up of many component historical searches
  that by default will span this many seconds. If a component search is not
  completed in this many seconds the next historical search will span the extra
  seconds. To reduce the overhead of running an indexed realtime search you can
  change this span to delay longer before starting the next component
  historical search.
* Precedence: Indexers
* Default: 1

indexed_realtime_disk_sync_delay = <integer>
* The number of seconds to wait for disk flushes to finish when using
  indexed/continuous/pseudo realtime search, so that all data can be seen.
* After indexing there is a non-deterministic period where the files on disk,
  when opened by other programs, might not reflect the latest flush to disk,
  particularly when a system is under heavy load.
* Precedence: SearchHead overrides Indexers
* Default: 60

indexed_realtime_maximum_span = <integer>
* While running an indexed realtime search, if the component searches regularly
  take longer than 'indexed_realtime_default_span' seconds,
  then indexed realtime search can fall more than
  'indexed_realtime_disk_sync_delay' seconds behind realtime.
* Use this setting to set a limit after which search drops data to
  catch back up to the specified delay from realtime, and only
  search the default span of seconds.
* Precedence: API overrides SearchHead overrides Indexers
* Default: 0 (unlimited)

indexed_realtime_use_by_default = <boolean>
* Whether or not the indexedRealtime mode should be used by default.
* Precedence: SearchHead
* This is an app/user level configuration setting, and cannot be set as global.
* Default: false

local_connect_timeout = <integer>
* Connection timeout, in seconds, for an indexer's search process when
  connecting to that indexer's splunkd.
* Default: 5

local_receive_timeout = <integer>
* Receive timeout, in seconds, for an indexer's search process when
  connecting to that indexer's splunkd.
* Default: 5

local_send_timeout = <integer>
* Send timeout, in seconds, for an indexer's search process when connecting
  to that indexer's splunkd.
* Default: 5

max_blocking_secs = <integer>
* Maximum time, in seconds, to block if the queue is full (meaningless
  if blocking = false)
* 0 means no limit
* Default: 60

queue_size = <integer>
* Size of queue for each real-time search (must be >0).
* Default: 10000

[restapi]

maxresultrows = <integer>
* Maximum result rows to be returned by /events or /results getters from REST
  API.
* Default: 50000

jobscontentmaxcount = <integer>
* Maximum length of a property in the contents dictionary of an entry from
  /jobs getter from REST API
* Value of 0 disables truncation
* Default: 0

time_format_reject = <regular expression>
* HTTP arguments for time_format and output_time_format that match
  this regex will be rejected.
* The regex will be satisfied by a substring match anywhere in the argument.
* Intended as defense-in-depth against XSS style attacks against browser users
  by crafting specially encoded URLS for them to access splunkd.
* If unset, all argument strings are accepted.
* To disable this check entirely, set the value to empty.
  * Example of disabling: time_format_reject =
* Default: [<>!] , which means that the less-than '<', greater-than '>', and
  exclamation point '!' are not allowed.

restprocessor_errors_fatal = <boolean>
* Determines whether to return a hard error for REST command usages that are
  invalid.
* An invalid REST command usage is a REST request that returns an HTTP status
  outside the range of [200, 300].
* Default: false

max_persistent_connections = <integer>
* The maximum number of persistent processes that EAI custom REST handlers can create to serve REST API calls in persistent mode.
* A value of "0" means that there is no limit to the number of processes that the handlers can create.
* Default: 3000

[reversedns]

rdnsMaxDutyCycle = <integer>
* Generate diagnostic WARN in splunkd.log if reverse dns lookups are taking
  more than this percent of time
* Range 0-100
* Default: 10

[sample]

maxsamples = <integer>
* Default: 10000

maxtotalsamples = <integer>
* Default: 100000

[scheduler]

action_execution_threads = <integer>
* Number of threads to use to execute alert actions, change this number if your
  alert actions take a long time to execute.
* This number is capped at 100.
* Default: 10

actions_queue_size = <integer>
* The number of alert notifications to queue before the scheduler starts
  blocking, set to 0 for infinite size.
* Default: 500

actions_queue_timeout = <integer>
* The maximum amount of time, in seconds, to block when the action queue size is
  full.
* Default: 30

alerts_expire_period = <integer>
* The amount of time, in seconds, between expired alert removal
* This period controls how frequently the alerts list is scanned, the only
  benefit from reducing this is better resolution in the number of alerts fired
  at the savedsearch level.
* Change not recommended.
* Default: 120

alerts_max_count = <integer>
* Maximum number of unexpired alerts information to keep for the alerts
  manager, when this number is reached Splunk will start discarding the oldest
  alerts.
* Default: 50000

alerts_max_history = <integer>[s|m|h|d]
* Maximum time to search in the past for previously triggered alerts.
* splunkd uses this property to populate the Activity -> Triggered Alerts
  page at startup.
* Values greater than the default may cause slowdown.
* Relevant units are: s, sec, second, secs, seconds, m, min, minute, mins,
  minutes, h, hr, hour, hrs, hours, d, day, days.
* Default: 7d

alerts_scoping = host|splunk_server|all
* Determines the scoping to use on the search to populate the triggered alerts
  page. Choosing splunk_server will result in the search query
  using splunk_server=local, host will result in the search query using
  host=<search-head-host-name>, and all will have no scoping added to the
  search query.
* Default: splunk_server

async_saved_search_fetch = <boolean>
* Enables a separate thread that will fetch scheduled or auto-summarized saved
  searches asynchronously.
* Do not change this setting unless instructed to do so by Splunk support.
* Default: true

async_saved_search_interval = <integer>
* The interval, in seconds, that scheduled or auto-summarized saved searches
  will be fetched asynchronously.
* Has no effect if async_saved_search_fetch is set to false.
* Default: 30

async_admission_eval_interval = <integer>
* The interval, in seconds, that scheduled saved searches will be evaluated
  for admission rules asynchronously.
* Has no effect if async_saved_search_fetch is set to false.
* If async_saved_search_fetch is false, admission rule evaluation for saved
  searches is done on the scheduler thread.
* Default: 600

scheduler_user_timezone_cache_expiry = <integer>[s|m|h|d]
* The amount of time that the scheduler caches the timezones
  that are associated with the scheduled searches.
* Use this setting to decrease scheduler cycle time by letting the scheduler
  use cached timezones instead of fetching them from the
  configuration cache.
* A value of 0 turns off timezone caching.
* Specify the interval as a string with minutes, seconds, hours, or days.
  For example: 60s, 1m, 1h, 1d, etc.
* Default: 150m

auto_summary_perc = <integer>
* The maximum number of concurrent searches to be allocated for auto
  summarization, as a percentage of the concurrent searches that the scheduler
  can run.
* Auto summary searches include:
  * Searches which generate the data for the Report Acceleration feature.
  * Searches which generate the data for Data Model acceleration.
* NOTE: user scheduled searches take precedence over auto summary searches.
* Default: 50

auto_summary_perc.<n> = <integer>
auto_summary_perc.<n>.when = <cron string>
* The same as auto_summary_perc but the value is applied only when the cron
  string matches the current time.  This allows 'auto_summary_perc' to have
  different values at different times of day, week, month, etc.
* There may be any number of non-negative <n> that progress from least specific
  to most specific with increasing <n>.
* The scheduler looks in reverse-<n> order looking for the first match.
* If either these settings aren't provided at all or no "when" matches the
  current time, the value falls back to the non-<n> value of 'auto_summary_perc'.

concurrency_message_throttle_time = <integer>[s|m|h|d]
* Amount of time controlling throttling between messages warning about scheduler
  concurrency limits.
* Relevant units are: s, sec, second, secs, seconds, m, min, minute, mins,
  minutes, h, hr, hour, hrs, hours, d, day, days.
* Default: 10m

introspection_lookback = <duration-specifier>
* The amount of time to "look back" when reporting introspection statistics.
* For example: what is the number of dispatched searches in the last 60 minutes?
* Use [<integer>]<unit> to specify a duration;
  a missing <integer> defaults to 1.
* Relevant units are: m, min, minute, mins, minutes, h, hr, hour, hrs, hours,
  d, day, days, w, week, weeks.
* For example: "5m" = 5 minutes, "1h" = 1 hour.
* Default: 1h

max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Default: 50000

max_continuous_scheduled_search_lookback = <duration-specifier>
* The maximum amount of time to run missed continuous scheduled searches for
  once Splunk Enterprise comes back up, in the event it was down.
* Use [<integer>]<unit> to specify a duration;
  a missing <integer> defaults to 1.
* Relevant units are: m, min, minute, mins, minutes, h, hr, hour, hrs, hours,
  d, day, days, w, week, weeks, mon, month, months.
* For example: "5m" = 5 minutes, "1h" = 1 hour.
* A value of 0 means no lookback.
* Default: 24h

max_lock_files = <integer>
* The number of most recent lock files to keep around.
* This setting only applies in search head pooling.

max_lock_file_ttl = <integer>
* Time, in seconds, that must pass before reaping a stale lock file.
* Only applies in search head pooling.

max_per_result_alerts = <integer>
* Maximum number of alerts to trigger for each saved search instance (or
  real-time results preview for RT alerts)
* Only applies in non-digest mode alerting. Use 0 to disable this limit
* Default: 500

max_per_result_alerts_time = <integer>
* Maximum amount of time, in seconds, to spend triggering alerts for each
  saved search instance (or real-time results preview for RT alerts)
* Only applies in non-digest mode alerting. Use 0 to disable this limit.
* Default: 300 (5 minutes)

max_searches_perc = <integer>
* The maximum number of searches the scheduler can run, as a percentage of the
  maximum number of concurrent searches, see [search] max_searches_per_cpu for
  how to set the system wide maximum number of searches.
* Default: 50

max_searches_perc.<n> = <integer>
max_searches_perc.<n>.when = <cron string>
* The same as max_searches_perc but the value is applied only when the cron
  string matches the current time.  This allows 'max_searches_perc' to have
  different values at different times of day, week, month, etc.
* There may be any number of non-negative <n> that progress from least specific
  to most specific with increasing <n>.
* The scheduler looks in reverse-<n> order looking for the first match.
* If either these settings aren't provided at all or no "when" matches the
  current time, the value falls back to the non-<n> value of 'max_searches_perc'.

persistence_period = <integer>
* The period, in seconds, between scheduler state persistence to disk. The
  scheduler currently persists the suppression and fired-unexpired alerts to
  disk.
* This is relevant only in search head pooling mode.
* Default: 30

persistance_period = <integer>
* DEPRECATED: Use the 'persistence_period' setting instead.

priority_runtime_factor = <double>
* The amount to scale the priority runtime adjustment by.
* Every search's priority is made higher (worse) by its typical running time.
  Since many searches run in fractions of a second and the priority is
  integral, adjusting by a raw runtime wouldn't change the result; therefore,
  it's scaled by this value.
* Default: 10

priority_skipped_factor = <double>
* The amount to scale the skipped adjustment by.
* A potential issue with the priority_runtime_factor is that now longer-running
  searches may get starved.  To balance this out, make a search's priority
  lower (better) the more times it's been skipped.  Eventually, this adjustment
  will outweigh any worse priority due to a long runtime. This value controls
  how quickly this happens.
* Default: 1

dispatch_retry_delay = <unsigned integer>
* The amount of time, in seconds, to delay retrying a scheduled search that
  failed to dispatch (usually due to hitting concurrency limits).
* Maximum value: 30
* Default: 0

saved_searches_disabled = <boolean>
* Whether saved search jobs are disabled by the scheduler.
* Default: false


scheduled_view_timeout = <integer>[s|m|h|d]
* The maximum amount of time that a scheduled view (pdf delivery) would be
  allowed to render
* Relevant units are: s, sec, second, secs, seconds, m, min, minute, mins,
  minutes, h, hr, hour, hrs, hours, d, day, days.
* Default: 60m

shc_role_quota_enforcement = <boolean>
* When this attribute is enabled, the search head cluster captain enforces
  user-role quotas for scheduled searches globally (cluster-wide).
* A given role can have (n *number_of_members) searches running cluster-wide,
  where n is the quota for that role as defined by srchJobsQuota and
  rtSrchJobsQuota on the captain and number_of_members include the members
  capable of running scheduled searches.
* Scheduled searches will therefore not have an enforcement of user role
  quota on a per-member basis.
* Role-based disk quota checks (srchDiskQuota in authorize.conf) can be
  enforced only on a per-member basis.
  These checks are skipped when shc_role_quota_enforcement is enabled.
* Quota information is conveyed from the members to the captain. Network delays
  can cause the quota calculation on the captain to vary from the actual values
  in the members and may cause search limit warnings. This should clear up as
  the information is synced.
* Default: false

shc_syswide_quota_enforcement = <boolean>
* When this is enabled, Maximum number of concurrent searches is enforced
  globally (cluster-wide) by the captain for scheduled searches.
  Concurrent searches include both scheduled searches and ad hoc searches.
* This is (n * number_of_members) where n is the max concurrent searches per
  node (see max_searches_per_cpu for a description of how this is computed) and
  number_of_members include members capable of running scheduled searches.
* Scheduled searches will therefore not have an enforcement of instance-wide
  concurrent search quota on a per-member basis.
* Note that this does not control the enforcement of the scheduler quota.
  For a search head cluster, that is defined as
  (max_searches_perc * number_of_members)
  and is always enforced globally on the captain.
* Quota information is conveyed from the members to the captain. Network delays
  can cause the quota calculation on the captain to vary from the actual values
  in the members and may cause search limit warnings. This should clear up as
  the information is synced.
* Default: false

shc_local_quota_check = <boolean>
* DEPRECATED. Local (per-member) quota check is enforced by default.
* To disable per-member quota checking, enable one of the cluster-wide quota
  checks (shc_role_quota_enforcement or shc_syswide_quota_enforcement).
* For example, setting 'shc_role_quota_enforcement=true' turns off local role
  quota enforcement for all nodes in the cluster and is enforced cluster-wide
  by the captain.

shp_dispatch_to_slave = <boolean>
* DEPRECATED; use shp_dispatch_to_member instead.

shp_dispatch_to_member = <boolean>
* By default the scheduler should distribute jobs throughout the pool.
* Default: true

search_history_load_timeout = <duration-specifier>
* The maximum amount of time to defer running continuous scheduled searches
  while waiting for the KV Store to come up in order to load historical data.
  This is used to prevent gaps in continuous scheduled searches when splunkd
  was down.
* Use [<integer>]<unit> to specify a duration; a missing <integer> defaults to 1.
* Relevant units are: s, sec, second, secs, seconds, m, min, minute, mins,
  minutes.
* For example: "60s" = 60 seconds, "5m" = 5 minutes.
* Default: 2m

search_history_max_runtimes = <unsigned integer>
* The number of runtimes kept for each search.
* Used to calculate historical typical runtime during search prioritization.
* Default: 10

[search_metrics]

debug_metrics = <boolean>
* This indicates whether to output more detailed search metrics for
  debugging.
* This will do things like break out where the time was spent by peer, and might
  add additional deeper levels of metrics.
* This is NOT related to "metrics.log" but to the "Execution Costs" and
  "Performance" fields in the Search inspector, or the count_map in the
  info.csv file.
* Default: false

[show_source]

distributed = <boolean>
* Whether or not a distributed search is performed to get events from all
  servers and indexes.
* Turning this off results in better performance for show source, but events
  will only come from the initial server and index.
* Default: true

distributed_search_limit = <unsigned integer>
* The maximum number of events that are requested when performing a search
  for distributed show source.
* As this is used for a larger search than the initial non-distributed show
  source, it is larger than max_count
* Splunk software rarely returns anywhere near this number of results,
  as excess results are pruned.
* The point is to ensure the distributed search captures the target event in an
  environment with many events.
* Default: 30000

max_count = <integer>
* Maximum number of events accessible by show_source.
* The show source command will fail when more than this many events are in the
  same second as the requested event.
* Default: 10000

max_timeafter = <timespan>
* Maximum time after requested event to show.
* Default: '1day' (86400 seconds)

max_timebefore = <timespan>
* Maximum time before requested event to show.
* Default: '1day' (86400 seconds)

[rex]

match_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to set an upper bound on how many times PCRE calls an internal
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 100000

depth_limit = <integer>
* Limits the amount of resources that are spent by PCRE
  when running patterns that will not match.
* Use this to limit the depth of nested backtracking in an internal PCRE
  function, match(). If set too low, PCRE might fail to correctly match
  a pattern.
* Default: 1000

[slc]

maxclusters = <integer>
* Maximum number of clusters to create.
* Default: 10000.

[slow_peer_disconnect]

# This stanza contains settings for the heuristic that will detect and
# disconnect slow peers towards the end of a search that has returned a
# large volume of data.

batch_search_activation_fraction = <decimal>
* The fraction of peers that must have completed before disconnection begins.
* This is only applicable to batch search because the slow peers will
  not hold back the fast peers.
* Default: 0.9

bound_on_disconnect_threshold_as_fraction_of_mean = <decimal>
* The maximum value of the threshold data rate that is used to determine
  if a peer is slow.
* The actual threshold is computed dynamically at search time but never exceeds
  (100*maximum_threshold_as_fraction_of_mean)% on either side of the mean.
* Default: 0.2

disabled = <boolean>
* Whether or not this feature is enabled.
* Default: true

grace_period_before_disconnect = <decimal>
* How long, in seconds, when multiplied by life_time_of_collector, to wait
  while the heuristic claims that a peer is slow, before disconnecting the
  peer.
* If the heuristic consistently claims that the peer is slow for at least
  <grace_period_before_disconnect>*life_time_of_collector seconds, then the
  peer is disconnected.
* Default: 0.1

packets_per_data_point = <unsigned integer>
* Rate statistics will be sampled once every packets_per_data_point packets.
* Default: 500

sensitivity = <decimal>
* Sensitivity of the heuristic to newer values. For larger values of
  sensitivity the heuristic will give more weight to newer statistic.
* Default: 0.3

threshold_connection_life_time = <unsigned integer>
* All peers will be given an initial grace period of at least these many
  seconds before they are considered in the heuristic.
* Default: 5

threshold_data_volume = <unsigned integer>
* The volume of uncompressed data that must have accumulated, in
  kilobytes (KB), from a peer before it is considered in the heuristic.
* Default: 1024

[summarize]

bucket_refresh_interval = <integer>
* When poll_buckets_until_maxtime is enabled in a non-clustered
  environment, this is the minimum amount of time (in seconds)
  between bucket refreshes.
* Default: 30

bucket_refresh_interval_cluster = <integer>
* When poll_buckets_until_maxtime is enabled in a clustered
  environment, this is the minimum amount of time (in seconds)
  between bucket refreshes.
* Default: 120

hot_bucket_min_new_events = <integer>
* The minimum number of new events that need to be added to the hot bucket
  (since last summarization)  before a new summarization can take place.
  To disable hot bucket summarization set this value to a * large positive
  number.
* Default: 100000

indextime_lag = <unsigned integer>
* The amount of lag time, in seconds, to give indexing to ensure that
  it has synced any received events to disk.
* Effectively, the data that has been received in the past 'indextime_lag'
  seconds is NOT summarized.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 90

max_hot_bucket_summarization_idle_time = <unsigned integer>
* Maximum amount of time, in seconds, a hot bucket can be idle. When the
  time exceeds the maximum, all of the events are summarized even if there
  are not enough events (determined by the hot_bucket_min_new_events
  attribute).
* Default: 900 (15 minutes)

max_replicated_hot_bucket_idle_time = <unsigned integer>
* The maximum amount of time, in seconds, that a replicated hot bucket
  can remain idle before 'indextime_lag' is no longer applied to it.
* This applies only to idle replicated hot buckets. When new events arrive,
  the default behavior of applying 'indextime_lag' resumes.
* Default: 150

max_summary_ratio = <decimal>
* A number in the [0-1] range that indicates the maximum ratio of
  summary data / bucket size at which point the summarization of that
  bucket, for the particular search, will be disabled.
* Set to 0 to disable.
* Default: 0

max_summary_size = <integer>
* Size of summary, in bytes, at which point we'll start applying the
  max_summary_ratio.
* Set to 0 to disable.
* Default: 0

max_time = <integer>
* The maximum amount of time, seconds, that a summary search process is
  allowed to run.
* Set to 0 to disable.
* Default: 0

poll_buckets_until_maxtime = <boolean>
* Only modify this setting when you are directed to do so by Support.
* Use the datamodels.conf setting 'acceleration.poll_buckets_until_maxtime'
  for individual data models that are sensitive to summarization latency delays.
* Default: false

auto_finalize_secs_after_maxtime = <integer>
* The maximum amount of time, in seconds, that a summary search process is
  allowed to run after having exceeded max_time before it is auto-finalized.
* The Splunk software auto-finalizes searches after a period of time that is 
  the combination of this setting with the 'acceleration.max_time' setting.
  * For example, if you set 'acceleration.max_time' to 3600 and you set 
    'auto_finalize_secs_after_maxtime' to 300, the Splunk software finalizes 
    the search after 3900 seconds.
* An 'acceleration.max_time' setting of "0" indicates that there is no time
  limit for a summary search and causes the Splunk software to ignore the 
  'auto_finalize_secs_after_maxtime' setting.
* Default: 300

sleep_seconds = <integer>
* The amount of time, in seconds, to sleep between polling the summarization
  complete status.
* Default: 5

sleep_rebuild_deletion_seconds = <integer>
* The maximum amount of time, in seconds, for Splunk software to wait for data 
  model acceleration summary deletion to occur during an automatic summary rebuild.
  When this interval is reached the summary rebuild process moves on to the next 
  bucket. 
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 5

stale_lock_seconds = <integer>
* The amount of time, in seconds, to have elapse since the mod time of
  a .lock file before summarization considers * that lock file stale
  and removes it.
* Default: 600

tscollect_queue_size = <unsigned integer>
* This setting sets the size (in bytes) of the internal producer-consumer
  queue. Accelerated data model summary creation searches use this queue to
  speed up the summarization task.
* Setting this to a non-zero value reduces the memory usage of the data model
  acceleration search process while accelerating large buckets of events.
* A value of 0 represents no bound on the queue size.
* CAUTION: Do not change this setting without consulting Splunk Support.
  Changing it may slow down the accelerated data model summary creation search.
* Default: 0

[system_checks]

insufficient_search_capabilities = enabled | disabled
* Enables/disables automatic daily logging of scheduled searches by users
  who have insufficient capabilities to run them as configured.
* Such searches are those that:
  + Have schedule_priority set to a value other than "default" but the
    owner does not have the edit_search_schedule_priority capability.
  + Have schedule_window set to a value other than "auto" but the owner does
    not have the edit_search_schedule_window capability.
* This check and any resulting logging occur on system startup and every 24
  hours thereafter.
* Default: enabled

installed_files_integrity = enabled | log_only | disabled
* Enables/disables automatic verification on every startup that all the
  files that were installed with the running Splunk version are still the
  files that should be present.
  * Effectively this finds cases where files were removed or changed that
    should not be removed or changed, whether by accident or intent.
  * The source of truth for the files that should be present is the manifest
    file in the $SPLUNK_HOME directory that comes with the release, so if
    this file is removed or altered, the check cannot work correctly.
  * Reading of all the files provided with the install has some I/O cost,
    though it is paid out over many seconds and should not be severe.
* When "enabled", detected problems will cause a message to be posted to
  the bulletin board (system UI status message).
* When "enabled" or "log_only", detected problems will cause details to be
  written out to the splunkd.log file.
* When "disabled", no check will be attempted or reported.
* Default: enabled

installed_files_integrity_interval = <interval>
* The amount of time between each installed file integrity check.
* Has no effect if 'installed_files_integrity' is disabled.
* Specify the interval as a string with minutes, seconds, hours, days.
  For example: 60s, 1m, 1h, 1d, etc.
* Default: 12h

installed_files_anomalous_integrity_interval = <interval>
* The interval at which splunkd checks the $SPLUNK_HOME/bin
  and $SPLUNK_HOME/lib directories for files that exist in
  those directories but should not, according to the
  Splunk manifest file.
* Has no effect if 'installed_files_integrity' is disabled.
* Specify the interval as a string with minutes, seconds, hours, days.
  For example: 60s, 1m, 1h, 1d, etc.
* Default: 5m


orphan_searches = enabled|disabled
* Enables/disables automatic UI message notifications to admins for
  scheduled saved searches with invalid owners.
  * Scheduled saved searches with invalid owners are considered "orphaned".
    They cannot be run because Splunk cannot determine the roles to use for
    the search context.
  * Typically, this situation occurs when a user creates scheduled searches
    then departs the organization or company, causing their account to be
    deactivated.
* Currently this check and any resulting notifications occur on system
  startup and every 24 hours thereafter.
* Default: enabled

[thruput]

maxKBps = <integer>
* The maximum speed, in kilobytes per second, that incoming data is
  processed through the thruput processor in the ingestion pipeline.
* To control the CPU load while indexing, use this setting to throttle
  the number of events this indexer processes to the rate (in
  kilobytes per second) that you specify.
* NOTE:
  * There is no guarantee that the thruput processor
    will always process less than the number of kilobytes per
    second that you specify with this setting. The status of
    earlier processing queues in the pipeline can cause
    temporary bursts of network activity that exceed what
    is configured in the setting.
  * The setting does not limit the amount of data that is
    written to the network from the tcpoutput processor, such
    as what happens when a universal forwarder sends data to
    an indexer.
  * The thruput processor applies the 'maxKBps' setting for each
    ingestion pipeline. If you configure multiple ingestion
    pipelines, the processor multiplies the 'maxKBps' value
    by the number of ingestion pipelines that you have
    configured.
  * For more information about multiple ingestion pipelines, see
    the 'parallelIngestionPipelines' setting in the
    server.conf.spec file.
* Default (Splunk Enterprise): 0 (unlimited)
* Default (Splunk Universal Forwarder): 256

[viewstates]

enable_reaper = <boolean>
* Controls whether the viewstate reaper runs.
* Default: true

reaper_freq = <integer>
* Controls how often, in seconds, the viewstate reaper runs.
* Default: 86400 (24 hours)

reaper_soft_warn_level = <integer>
* Controls what the reaper considers an acceptable number of viewstates.
* Default: 1000

ttl = <integer>
* Controls the age, in seconds, at which a viewstate is considered eligible
  for reaping.
* Default: 86400 (24 hours)

[scheduled_views]

# Scheduled views are hidden [saved searches / reports] that trigger
# PDF generation for a dashboard. When a user enables scheduled PDF delivery
# in the dashboard UI, scheduled views are created.
#
# The naming pattern for scheduled views is _ScheduledView__<view_name>,
# where <view_name> is the name of the corresponding dashboard.
#
# The scheduled views reaper, if enabled, runs periodically to look for
# scheduled views that have been orphaned. A scheduled view becomes orphaned
# when its corresponding dashboard has been deleted. The scheduled views reaper
# deletes these orphaned scheduled views. The reaper only deletes scheduled
# views if the scheduled views have not been disabled and their permissions
# have not been modified.

enable_reaper = <boolean>
* Controls whether the scheduled views reaper runs, as well as whether
* scheduled views are deleted when the dashboard they reference is deleted.
* Default: true

reaper_freq = <integer>
* Controls how often, in seconds, the scheduled views reaper runs.
* Default: 86400 (24 hours)

OPTIMIZATION


# This section contains global and specific optimization settings

[search_optimization]

enabled = <boolean>
* Enables search optimizations
* Default: true

[search_optimization::search_expansion]

enabled = <boolean>
* Enables optimizer-based search expansion.
* This enables the optimizer to work on pre-expanded searches.
* Default: true


# NOTE: Do not edit the below configurations unless directed by support

[search_optimization::replace_append_with_union]

enabled = <boolean>
* Enables replace append with union command optimization
* Default: true

[search_optimization::merge_union]

enabled = <boolean>
* Merge consecutive unions
* Default: true

[search_optimization::insert_redistribute_command]

enabled = <boolean>
* Enables a search language optimization that inserts a 'redistribute' command.
  This lets you use parallel reduce search processing to shorten the search
  runtime for a set of supported SPL commands.
* This optimization cannot be used by Splunk platform implementations that are
  restricted to the single-threaded search execution method. For more
  information about search execution methods, see the description of the
  'phased_execution_mode' setting in this file.
* Default: true

[search_optimization::predicate_merge]

enabled = <boolean>
* Enables predicate merge optimization
* Default: true

inputlookup_merge = <boolean>
* Enables predicate merge optimization to merge predicates into inputlookup
* predicate_merge must be enabled for this optimization to be performed
* Default: true

merge_to_base_search = <boolean>
* Enable the predicate merge optimization to merge the predicates into the
  first search in the pipeline.
* Default: true

fields_black_list = <fields_list>
* A comma-separated list of fields that will not be merged into the first
  search in the pipeline.
* If a field contains sub-tokens as values, then the field should be added
  to fields_black_list
* No default.

[search_optimization::predicate_push]

enabled = <boolean>
* Enables predicate push optimization
* Default: true

[search_optimization::predicate_split]

enabled = <boolean>
* Enables predicate split optimization
* Default: true

[search_optimization::projection_elimination]

enabled = <boolean>
* Enables projection elimination optimization
* Default: true

cmds_black_list = <comma separated list>
* DEPRECATED. Use the 'excluded_commands' setting instead.

excluded_commands = <Commands List>
* A comma-separated list of commands that are not affected by projection
  elimination optimization.
* No default.

[search_optimization::required_field_values]

enabled = <boolean>
* Enables required field value optimization
* Default: true

fields = <comma-separated-string>
* Provide a comma-separated-list of field names to optimize.
* Currently the only valid field names are eventtype and tag.
* Optimization of event type and tag field values applies to transforming
  searches. This optimization ensures that only the event types and
  tags necessary to process a search are loaded by the search processor.
* Only change this setting if you need to troubleshoot an issue.
* Default: eventtype, tag

[search_optimization::search_flip_normalization]

enabled = <boolean>
* Enables predicate flip normalization.
* This type of normalization takes 'where' command statements
  in which the value is placed before the field name and reverses
  them so that the field name comes first.
* Predicate flip normalization only works for numeric values and
  string values where the value is surrounded by quotes.
* Predicate flip normalization also prepares searches to take
  advantage of predicate merge optimization.
* Disable search_flip_normalization if you determine that it is
  causing slow search performance.
* Default: true

[search_optimization::reverse_calculated_fields]

enabled = <boolean>
* Enables reversing of calculated fields optimization.
* Default: true

[search_optimization::search_sort_normalization]

enabled = <boolean>
* Enables predicate sort normalization.
* This type of normalization applies lexicographical sorting logic
  to 'search' command expressions and 'where' command statements,
  so they are consistently ordered in the same way.
* Disable search_sort_normalization if you determine that it is
  causing slow search performance.
* Default: true

[search_optimization::eval_merge]

enabled = <boolean>
* Enables a search language optimization that combines two consecutive
  "eval" statements into one and can potentially improve search performance.
* There should be no side-effects to enabling this setting and need not
  be changed unless you are troubleshooting an issue with search results.
* Default: true

[search_optimization::replace_table_with_fields]

enabled = <boolean>
* Enables a search language optimization that replaces the table
  command with the fields command
  in reporting or stream reporting searches
* There should be no side-effects to enabling this setting and need not
  be changed unless you are troubleshooting an issue with search results.
* Default: true

[search_optimization::replace_stats_cmds_with_tstats]

enabled = <boolean>
* If you are not using summary indexing, enable this setting to improve
  performance for searches that perform statistical operations only on indexed
  fields.
* Do not enable this optimizer if you are dependent on summary indexes. When it
  is enabled, searches that perform timechart operations on summary indexes may
  need to perform extra work to run a fallback search and may run slower.
  This is because the 'tstats' command does not respect the fields created by
  summary indexing commands. If you use summary indexing but still choose to
  enable this optimization globally, you can disable this optimization on
  a per-search basis by appending
  '| noop search_optimization.replace_stats_cmds_with_tstats=f' to the search
  string.
* Default: true

detect_search_time_field_collisions = <boolean>
* Enables checking field collisions between fields.conf which indicates
  whether a field is indexed and props.conf which may contain fields which
  override those fields at search time.
* This enables logic to perform an additional search expansion before the
  replace_stats_cmds_with_tstats optimizer can be applied so that we
  get correct results when this case occurs.
* Default: true

[search_optimization::replace_datamodel_stats_cmds_with_tstats]

enabled = <boolean>
* Enables a search language optimization that replaces stats commands with
  tstats commands in "| datamodel .. | stats" and "| from datamodel .. | stats"
  SPL strings.
* Default: true

[search_optimization::replace_chart_cmds_with_tstats]

* If you are not using summary indexing, enable this optimizer to improve
  performance for searches that perform timechart queries on statistical
  operations only on indexed fields.
* Do not enable this optimizer if you are dependent on summary indexes. When it
  is enabled, searches that perform timechart operations on summary indexes may
  need to perform extra work to run a fallback search and may run slower.
  This is because the 'tstats' command does not respect the fields created by
  summary indexing commands. If you use summary indexing but still choose to
  enable this optimization globally, you can disable this optimization on
  a per-search basis by appending
  '| noop search_optimization.replace_chart_cmds_with_tstats=f'
  to the search string.
* Default: true

detect_search_time_field_collisions = <Boolean>
* When set to 'true', the Splunk software checks for field collisions between
  'fields.conf', which indicates whether a field is indexed, and 'props.conf',
  which may contain fields that override indexed fields at search time.
* This setting enables logic which performs an additional search expansion
  before the replace_chart_cmds_with_tstats optimizer can be applied,
  to ensure that searches return correct results when these field collisions
  occur.
* Default: true

[directives]

required_tags = enabled|disabled
* Enables the use of the required tags directive, which allows the search
  processor to load only the required tags from the conf system.
* Disable this setting only to troubleshoot issues with search results.
* Default: enabled

required_eventtypes = enabled|disabled
* Enables the use of the required eventtypes directive, which allows the search
  processor to load only the required event types from the conf system.
* Disable this setting only to troubleshoot issues with search results.
* Default: enabled

read_summary = enabled|disabled
* Enables the use of the read summary directive, which allows the search
  processor to leverage existing data model acceleration summary data when it
  performs event searches.
* Disable this setting only to troubleshoot issues with search results.
* Default: enabled

[parallelreduce]

maxReducersPerPhase = <positive integer>
* The maximum number of valid indexers that can be used as intermediate
  reducers in the reducing phase of a parallel reduce operation. Only healthy
  search peers are valid indexers.
* If you specify a number greater than 200 or an invalid value, parallel
  reduction does not take place. All reduction processing moves to the search
  head.
* Default: 20

defaultReducersPerPhase = <positive integer>
* Specifies the default number of valid indexers that are used as intermediate
  reducers in the reducing phase of a parallel reduce search job, if the number
  of indexers is not set in the search string by the 'prjob' or 'redistribute'
  commands.
* If 'winningRate' calculates that the size of the potential reducer pool is
  lower than 'defaultReducersPerPhase', the Splunk software uses the number of
  indexers determined by 'winningRate'.
* The value of this setting cannot exceed 'maxReducersPerPhase'.
* Default: 4

maxRunningPrdSearches = <unsigned integer>
* DEPRECATED. Use the 'maxPrdSearchesPerCpu' setting instead.

maxPrdSearchesPerCpu = <unsigned integer> 
* The maximum number of parallel reduce searches that can run, per CPU core, 
  on an indexer.
* If 'maxPrdSearchesPerCpu=1' and the number of concurrent searches exceeds the 
  number of CPU cores on the indexer, new search requests will fail.  
* If 'maxPrdSearchesPerCpu=0', there is no limit. The indexer runs as many 
  parallel reduce searches as the indexer hardware permits
* Default: 0

reducers = <string>
* Use this setting to configure one or more valid indexers as dedicated
  intermediate reducers for parallel reduce search operations. Only healthy
  search peers are valid indexers.
* For <string>, specify the indexer host and port using the following format -
  host:port. Separate each host:port pair with a comma to specify a list of
  intermediate reducers.
* If the 'reducers' list includes one or more valid indexers, all of those
  indexers (and only these indexers) are used as intermediate reducers when you
  run a parallel reduce search. If the number of valid indexers in the
  'reducers' list exceeds 'maxReducersPerPhase', the Splunk software randomly
  selects the set of indexers that are used as intermediate reducers.
* If all of the indexers in the 'reducers' list are invalid, the search runs
  without parallel reduction. All reduce operations for the search are
  processed on the search head.
* If 'reducers' is empty or not configured, all valid indexers are potential
  intermediate reducer candidates. The Splunk software randomly selects valid
  indexers as intermediate reducers with limits determined by the 'winningRate'
  and 'maxReducersPerPhase' settings.
* Default: ""

winningRate = <positive integer>
* The percentage of valid indexers that can be selected from the search peers
  as intermediate reducers for a parallel reduce search operation.
* This setting is only respected when the 'reducers' setting is empty or not
  configured.
* If 100 is specified, the search head attempts to use all of the indexers.
* If 1 is specified, the search head attempts to use 1% of the indexers.
* The minimum number of indexers used as intermediate reducers is 1.
* The maximum number of indexers used as intermediate reducers is the value of
  'maxReducersPerPhase'.
* Default: 50

rdinPairingTimeout = <positive integer>
* The amount of time (in seconds) to wait so that indexers and intermediate
  indexers may get paired
* Note: Only change this setting unless instructed to do so by Splunk Support.
* Default: 30

autoAppliedPercentage = <non-negative integer>
* The percentage of search queries to be selected to run as prjob, should be
  in range of [0, 100].
* If 100 is specified, all search queries will be wrapped as 'prjob'; if 0 is
  specified, no search query will be wrapped.
* Default: 0

autoAppliedToAdhocSearches = <boolean>
* When set to true, the Splunk software uses parallel reduce processing to
  improve the performance of qualifying ad-hoc searches.
* This setting is ignored when '0' is specified for 'autoAppliedPercentage'.
* Default: false

maxPreviewMemUsageMb = <positive integer>
* Sets the maximum amount of memory usage (in MB) that parallel reduce search
  can use in its preview cache.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: 100

enablePreview = <boolean>
* When set to 'true', parallel reduce search jobs generate preview data,
  meaning that partial search results are returned as the search job runs.
* When set to 'false', parallel reduce search jobs do not generate preview data.
  They display only the final results of a parallel reduce search job when the
  search job completes.
* Default: true

disabledCommandList = <comma-separated list>
* Specifies a list of commands that are not run for searches that undergo
  parallel reduce search processing.
  * This list is comma-separated, without spaces.
* For example, to disable the 'dedup' and 'sort' commands in parallel reduce
  searches, set 'disabledCommandList = dedup,sort'.
* Note: Do not change this setting unless instructed to do so by Splunk Support.
* Default: addinfo,lookup

previewReducerDutyCycle = <number>
* Sets the maximum time to spend generating previews on intermediate reducers,
  as a fraction of the total search time.
* Note: This setting affects only preview generation on intermediate reducers.
  This setting is not affected by the 'preview_duty_cycle' setting under the
  '[search]' stanza, which controls preview generation on the search head.
* Must be > 0.0 and < 1.0
* Default: 0.1

[rollup]

minSpanAllowed = <integer>
* Sets the minimum timespan for the scheduled searches that generate metric
  rollup summaries.
* Each rollup summary uses a scheduled search to provide its metric data point
  aggregations. The interval of the search matches the span defined for the
  rollup summary.
* However, when you run large numbers of scheduled searches with short
  intervals, you can encounter search concurrency problems, where some searches
  skip scheduled runs.
* To reduce the risk of search concurrency issues, this setting ensures that
  the rollup summaries created for your have longer spans.
* Do not set below 60 seconds.
* Default: 300

[mcollect]

always_use_single_value_output = <boolean>
* When set to true, mcollect outputs metric data points that only have one
  measure per data point.
* When set to false, mcollect outputs metric data points that can have
  several measures per data point.
* When your Splunk platform instance is fully upgraded to Splunk 8.0.0, change
  this setting to 'false'.
* Default:true

[segmenter]

use_segmenter_v2 = <boolean>
* When set to true, this setting causes certain tokenization operations to use
  SSE (Streaming SIMD Extensions) instructions. This improves overall search
  performance.
* This setting affects only those CPUs that support SSE4.2.
* NOTE: Do not change this setting unless instructed to do so by Splunk Support.
* Default: true




Required Field Optimization


[search_optimization::set_required_fields]

* The settings in this stanza affect how the search processors handle required
  field optimization.
* Required field optimization prevents specified but unused fields from being
  extracted or otherwise created during a search. This can improve search
  performance.

stats = <boolean>
* This setting determines whether the stats processor uses the required field
  optimization methods of Stats V2, or if it falls back to the older, less
  optimized version of required field optimization that was used prior to Stats
  v2.
* When set to 'true': the stats processor uses the Stats v2 version of the
    required field optimization. Do not set the value to "1" to indicate "true", 
    because some systems might not parse this value correctly.
* When set to 'false': the stats processor falls back to the older version of
    the required field optimization.
* Do not change this setting unless instructed to do so by Splunk support.
* Default: false

[watchdog]

stack_files_ttl = <integer>
* The amount of time to keep a watchdog stack file.
* The interval can be specified as a string for minutes, seconds, hours, days.
* For example; 60s, 1m, 1h, 1d etc.
* These files are located in $SPLUNK_HOME/var/log/watchdog.
* If set to 0, the files will not be removed.
* Default: 7d

stack_files_removal_period = <integer>
* The time interval used to check for files that exceed the 'stack_files_ttl' setting.
* The interval can be specified as a string for minutes, seconds, hours, days.
* For example; 60s, 1m, 1h, 1d etc.
* Default: 1h


Ingest Actions


[ingest_actions]

rfs.provider.rawdata_limit_mb = <non-negative integer>
* Limits the amount of RAM, in megabytes (MB), that a specific storage provider
  type (such as AWS S3) can use for forwarding events to one or more destinations.
* This limit is applied only to the raw event data held in memory or in the
  process of being written to the storage endpoint.
* If the limit is reached, the RFS worker thread will not fetch further events
  from the pipeline, potentially causing upstream queues to fill up and eventually
  block the overall event pipeline.
* To avoid queue blocking, RFS worker thread may attempt to flush events more
  frequently than required, resulting in creating smaller files than expected.
  Therefore, a lower limit can result in smaller file sizes.
* Default: 1024

rfs.provider.max_workers = <non-negative integer>
* Max number of worker threads per storage provider type (such as AWS S3) used
  to serialize events into compressed JSON file for storing on one or more
  destinations.
* Default: 4

rfs.provider.max_concurrent_uploads = <unsigned integer>
* The maximum number of uploads to a storage provider, such as AWS S3, that
  can occur at the same time.
  * Increasing this value might help with low outbound throughput,
    especially for small batch uploads.
* The lowest acceptable value is 1 and the highest acceptable value is 8.
* Default: 4

rfsS3DestinationOff = <boolean>
* Specifies whether Ingest Actions S3 destination configuration is turned off.
* If S3 destination configuration is turned off, users will not see "Destination"
  page in the UI.
* If S3 destination configuration is turned off, users will not be able to configure
  S3 destination through REST endpoint.
* S3 destination configuration is turned off by default in GCP instances.
* Default: false


DataLake


[datalake]

sqs.ingest.max_threads = <non-negative integer>
* The maximum number of threads per pipeline-set that can be used by Splunk
  software to handle ingest from Amazon Security Lake instances that are
  subscribed through SQS remote queue for Federated Analytics data lake
  indexes.
* Default: 4

SPL2


[spl2]

origin = [all|none|<search-origin>]
* Limits where the SPL2 search can originate from.
* Use a comma-separated list for the value. Currently, the only supported value is "ad-hoc".
* Default: all

run_as_owner_ttl = <nonnegative integer>[s|m|h|d]
* The time-to-live (ttl), specified as a relative time, for searches that are designated to run as if the user is the owner of the search.
* Valid time units are s (seconds), m (minutes), h (hours), and d (days).
* Default: "1d" (1 day)

[storage_passwords_masking]

view_cleartext_allowlist = <comma-separated list>
* A set of external networks or addresses that can receive passwords
  in cleartext in response to calls to the "/storage/passwords" REST
  endpoint.
* This setting does not apply for requests to the "localhost" address.
  Those requests always receive passwords in cleartext.
* Separate multiple rules with commas or spaces.
* Each rule can be in one of the following formats:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A Classless Inter-Domain Routing (CIDR) block of addresses
       (examples: "10/8", "192.168.1/24", "fe80:1234/32")
    3. A DNS name, possibly with a "*" used as a wildcard
       (examples: "myhost.example.com", "*.splunk.com")
    4. "*", which matches anything
* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" returns cleartext passwords to calls from everywhere
  except the 10.1.*.* network.
* Default: "*" (always return cleartext passwords)

view_cleartext_spl_rest = <boolean>
* Whether or not the SPL 'rest' command can return passwords in cleartext
  when it makes calls to the "/storage/passwords" REST endpoint.
* A value of "true" means that the command can return cleartext passwords
  when it makes calls to the "/storage/passwords" endpoint.
* A value of "false" means that the command cannot return cleartext passwords
  when it makes calls to the "/storage/passwords" endpoint.
* Default: true


limits.conf.example

#   Version 9.4.0
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing.
# Improperly configured limits may result in splunkd crashes and/or memory overuse.


[searchresults]
maxresultrows = 50000
# maximum number of times to try in the atomic write operation (1 = no retries)
tocsv_maxretry = 5
# retry period is 1/2 second (500 milliseconds)
tocsv_retryperiod_ms = 500

[subsearch]
# maximum number of results to return from a subsearch
maxout = 100
# maximum number of seconds to run a subsearch before finalizing
maxtime = 10
# time to cache a given subsearch's results
ttl = 300

[anomalousvalue]
maxresultrows = 50000
# maximum number of distinct values for a field
maxvalues = 100000
# maximum size in bytes of any single value (truncated to this size if larger)
maxvaluesize = 1000

[associate]
maxfields = 10000
maxvalues = 10000
maxvaluesize = 1000

# for the contingency, ctable, and counttable commands
[ctable]
maxvalues = 1000

[correlate]
maxfields = 1000

# for bin/bucket/discretize
[discretize]
maxbins = 50000
# if maxbins not specified or = 0, defaults to searchresults::maxresultrows

[inputcsv]
# maximum number of retries for creating a tmp directory (with random name in
# SPLUNK_HOME/var/run/splunk)
mkdir_max_retries = 100

[kmeans]
maxdatapoints = 100000000

[kv]
# when non-zero, the point at which kv should stop creating new columns
maxcols = 512

[rare]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000

[restapi]
# maximum result rows to be returned by /events or /results getters from REST
# API
maxresultrows = 50000

[search]
# how long searches should be stored on disk once completed
ttl = 86400

# the approximate maximum number of timeline buckets to maintain
status_buckets = 300

# the last accessible event in a call that takes a base and bounds
max_count = 10000

# the minimum length of a prefix before a * to ask the index about
min_prefix_len = 1

# the length of time to persist search cache entries (in seconds)
cache_ttl = 300

# By default, we will not retry searches in the event of indexer
# failures with indexer clustering enabled.
# Hence, the default value for search_retry here is false.
search_retry = false

# Timeout value for checking search marker files like hotbucketmarker or backfill
# marker.
check_search_marker_done_interval = 60

# Time interval of sleeping between subsequent search marker files checks.
check_search_marker_sleep_interval = 1

# The total number of concurrent searches is set to 10 manually. 
total_search_concurrency_limit = 100

# If number of CPUs in your machine is 14, then the total system-wide limit of
# concurrent historical searches on this machine is 20, which is
# max_searches_per_cpu x number_of_cpus + base_max_searches = 1 x 14 + 6 = 20.
max_searches_per_cpu = 1
base_max_searches = 6

# Whether maximum number of concurrent searches are enforced cluster-wide
# for admission of adhoc searches
shc_adhoc_quota_enforcement = on

# Enable throttling on both CPU and memory
remote_search_requests_throttling_type = per_cpu, physical_ram

# If the peer node has 48 cores, the following setting allows a maximum of 720 
# concurrent searches.
[search_throttling::per_cpu]
max_concurrent = 13

# If the peer has 64 GB of RAM, the following setting allows a maximum of 512 
# concurrent searches.
[search_throttling::physical_ram]
min_memory_per_search = 134217728

[scheduler]

# Percent of total concurrent searches that will be used by scheduler is
# total concurrency x max_searches_perc = 20 x 60% = 12 scheduled searches
# User default value (needed only if different from system/default value) when
# no max_searches_perc.<n>.when (if any) below matches.
max_searches_perc = 60

# Increase the value between midnight-5AM.
max_searches_perc.0 = 75
max_searches_perc.0.when = * 0-5 * * *

# More specifically, increase it even more on weekends.
max_searches_perc.1 = 85
max_searches_perc.1.when = * 0-5 * * 0,6

# Maximum number of concurrent searches is enforced cluster-wide by the
# captain for scheduled searches. For a 3 node SHC total concurrent
# searches = 3 x 20 = 60. The total searches (adhoc + scheduled) = 60, then
# no more scheduled searches can start until some slots are free.
shc_syswide_quota_enforcement = true

[slc]
# maximum number of clusters to create
maxclusters = 10000

[findkeywords]
#events to use in findkeywords command (and patterns UI)
maxevents = 50000

[stats]
maxresultrows = 50000
maxvalues = 10000
maxvaluesize = 1000

[top]
maxresultrows = 50000
# maximum distinct value vectors to keep track of
maxvalues = 100000
maxvaluesize = 1000

[search_optimization]
enabled = true

[search_optimization::predicate_split]
enabled = true

[search_optimization::predicate_push]
enabled = true

[search_optimization::predicate_merge]
enabled = true
inputlookup_merge = true
merge_to_base_search = true

[search_optimization::projection_elimination]
enabled = true
excluded_commands = eval, rename

[search_optimization::search_flip_normalization]
enabled = true

[search_optimization::reverse_calculated_fields]
enabled = true

[search_optimization::search_sort_normalization]
enabled = true

[search_optimization::replace_table_with_fields]
enabled = true

[search_optimization::replace_stats_cmds_with_tstats]
enabled = true
detect_search_time_field_collisions = true

[search_optimization::replace_datamodel_stats_cmds_with_tstats]
enabled = true


Last modified on 02 December, 2024
instance.cfg.conf   literals.conf

This documentation applies to the following versions of Splunk® Enterprise: 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters