Splunk Cloud Platform

Admin Config Service Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage limits.conf configurations in Splunk Cloud Platform

The Admin Config Service (ACS) API supports self-service management of limits.conf configurations, which is useful for optimizing search performance on your Splunk Cloud Platform deployment. You can use the ACS API to edit, view, and reset select limits.conf settings programmatically, without assistance from Splunk Support.

Requirements

To manage limits.conf configurations using the ACS API:

The ACS API does not currently support AWS GovCloud or FedRAMP environments.

Set up the ACS API

Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also create a JWT authentication token in Splunk Cloud Platform for use with ACS endpoint requests. For details on how to set up the ACS API for app management, see Set up the ACS API.

Manage limits.conf configurations using the ACS API

This section shows you how to edit, view, and reset select limits.conf settings using the ACS API.

The following table shows editable limits.conf settings by stanza, with minimum, maximum, and default values:

Stanza Setting Description Values (min/max/default)
[join] subsearch_maxout The maximum number of result rows to output from subsearch to join against. "minValue": 0

"maxValue": 100000
"defaultValue": 50000

subsearch_maxtime Maximum search time, in seconds, before auto-finalization of subsearch. "minValue": 0

"maxValue": 120
"defaultValue": 60

subsearch_timeout Maximum time, in seconds, to wait for subsearch to fully finish. "minValue": 0

"maxValue": 240
"defaultValue": 120

[kv] maxchars Truncate _raw to this size and then do auto KV. "minValue": 0

"maxValue": 20480
"defaultValue": 10240

limit The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. "minValue": 0

"maxValue": 200
"defaultValue": 100

[subsearch] maxout Maximum number of results to return from a subsearch. "minValue": 0

"maxValue": 10400
"defaultValue": 10000

maxtime Maximum number of seconds to run a subsearch before finalizing "minValue": 0

"maxValue": 120
"defaultValue": 60

[searchresults] maxresultrows Maximum number of events generated by search commands "minValue": 0

"maxValue": 1000000
"defaultValue": 50000

All editable limits.conf settings are reloadable.

For more information on limits.conf settings, see limits.conf in the Splunk Enterprise Admin Manual.

View all limits.conf settings

To list the current configuration of all editable limits.conf settings, send an HTTP GET request to the limits endpoint. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits \
-H "Authorization: Bearer <token>"

The request returns a list of all editable limits.conf stanzas and their corresponding values. For example:

[{"Stanza":"join","Values":{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}},{"Stanza":"kv","Values":{"limit":"100","maxchars":"182"}},{"Stanza":"subsearch","Values":{"maxout":"10000","maxtime":"60"}}]

For endpoint details, see limits in the ACS endpoint reference.

Edit limits.conf settings

To edit limits.conf settings, send an HTTP POST request to the limits/{stanza} endpoint, specifying the name of the limits.conf stanza in the request URL, and the setting name and updated value in the request body. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "settings": {
        "subsearch_maxout": 91519,
        "subsearch_maxtime": 111
    }
}'

A successful request returns the settings and their updated values, with 202 status code, indicating the request was accepted, but the configuration update is still in progress due to the asynchronous ACS API. For example:

{"settings":{"subsearch_maxout":91519,"subsearch_maxtime":111}}

To confirm that your limits.conf update is complete, send an HTTP GET request to the limits/{stanza} endpoint, until the updated settings values appear in the output. See View a specific limits.conf stanza.

Invalid request responses

If your request contains a non-existent or uneditable stanza or setting, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"not allowed to access setting <invalid stanza>"}

If your request contains out-of-bounds setting value, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"request value 11111111111111.000000 outside of bounds min: 0.000000, max: 120.000000"}

If your request contains a non-integer setting value, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"Values provided must be positive integers"}

For endpoint details, see limits/{stanza} in the ACS endpoint reference.

View a specific limits.conf stanza

To view the current configuration of a specific limits.conf stanza, send an HTTP GET request to the limits/{stanza} endpoint, specifying the name of the stanza. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza} \
-H "Authorization: Bearer <token>"

The request returns a list of all editable settings and their values in the stanza. For example:

{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}

The GET request for a specific stanza returns only editable settings in that stanza.

For endpoint details, see limits/{stanza} in the ACS endpoint reference.

View a specific limits.conf setting

To view the configuration of a specific limits.conf setting under a specific stanza, send an HTTP GET request to the limits/{stanza}/{setting} endpoint, specifying the name of the stanza and the setting. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/{setting} \
-H "Authorization: Bearer <token>"

The request returns the specified setting and its current value. For example:

{"subsearch_maxout":"91519"}

For endpoint details, see limits/{stanza}/{setting} in the ACS endpoint reference.

Reset all limits.conf settings under a specific stanza

To reset all editable limits.conf setting values under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset endpoint, specifying the name of the stanza in the request URL. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/reset' \
--header 'Authorization: Bearer <token>'

A successful request returns all editable settings in the stanza with their reset default values. For example:

{"settings":{"subsearch_maxout":50000,"subsearch_maxtime":60,"subsearch_timeout":120}}

If your request contains an invalid or uneditable stanza, ACS returns a "not allowed to access stanza" message. For example:

{"code":"403-forbidden","message":"not allowed to access stanza <invalid stanza>"}

For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.

Reset specific limits.conf settings under a specific stanza

To reset a specific set of editable limits.conf settings under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset endpoint, specifying the name of the stanza in the request URL, and the names of the settings in the request body. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/reset' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "settings": [
        "subsearch_maxout", "subsearch_timeout"
    ]
}'

A successful request returns the specific settings in the stanza, reset to their default values. For example:

{"settings":{"subsearch_maxout":50000,"subsearch_timeout":120}}

If your request contains one or more uneditable or invalid settings, ACS returns a "not allowed to access setting" message. For example:

{"code":"403-forbidden","message":"not allowed to access setting <invalid settings>"}

If even a single specified setting is invalid, ACS will reject the request.

For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.

Last modified on 28 April, 2022
PREVIOUS
Manage indexes in Splunk Cloud Platform
  NEXT
Manage private apps in Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters