Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure limits using Splunk Web

Splunk Cloud Platform supports self-service configuration of select limits.conf settings, which can be useful for optimizing search performance. You can use the Configure limits page in Splunk Web to view and edit limits.conf settings, without assistance from Splunk Support.

Alternatively, you can configure limits.conf settings programmatically using the Admin Config Service (ACS) API. For more information, see Manage limits.conf configurations in Splunk Cloud Platform in the Admin Config Service Manual.

Requirements

To configure limits.conf using Splunk Web:

  • You must have the sc_admin role.
  • You must have the edit_limits_conf capability. The sc_admin role includes this capability by default.
  • You must have Splunk Cloud Platform version 9.0.2209.
  • Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
  • Automatic UI updates and token authentication must be enabled for your deployment.
  • Your deployment must have one or more separate search heads or a search head cluster.

The Configure limits UI does not currently support AWS GovCloud or FedRAMP environments.

Changing limits.conf settings can affect the performance of your Splunk Cloud Platform deployment.

View and edit limits.conf settings

This section shows you how to view and edit select limits.conf settings using Splunk Web.

The table shows editable limits.conf settings by stanza, with minimum, maximum, and default values:

Stanza Setting Description Values (min/max/default)
[join] subsearch_maxout The maximum number of result rows to output from subsearch to join against. "minValue": 0

"maxValue": 100000
"defaultValue": 50000

subsearch_maxtime Maximum search time, in seconds, before auto-finalization of subsearch. "minValue": 0

"maxValue": 120
"defaultValue": 60

[kv] maxchars Truncate _raw to this size and then do auto KV. A value of 0 means that no truncation occurs. "minValue": 0

"maxValue": 20480
"defaultValue": 10240

limit The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. "minValue": 0

"maxValue": 200
"defaultValue": 100

maxcols When non-zero, the point at which kv stops creating new fields. "minValue": 256

"maxValue": 2048
"defaultValue": 512

[subsearch] maxout Maximum number of results to return from a subsearch. "minValue": 0

"maxValue": 10400
"defaultValue": 10000

maxtime Maximum number of seconds to run a subsearch before finalizing "minValue": 0

"maxValue": 120
"defaultValue": 60

All editable limits.conf settings are reloadable.

Enable automatic UI updates and token authentication

Before you can access and use the Configure limits page in Splunk Web, you must enable automatic UI updates and token authentication for your deployment.

To enable automatic UI updates:

  1. In Splunk Web, select Settings > Automatic UI updates.
  2. Set the switch to enable automatic UI updates.
  3. Select Save.

After you enable automatic UI updates the Configure Limits menu option appears under Settings > Server settings.

To enable token authentication:

  1. In Splunk Web, select Settings > Tokens > Token Settings.
  2. Set the Token Authentication switch to Enabled.

Configure limits.conf settings

To view, edit, or reset limits.conf settings using Splunk Web:

  1. Select Settings > Server settings.
  2. If token authentication is not enabled, select Go to tokens page and enable token authentication.
  3. Edit one or more of the available limits.conf settings values.
  4. Select Save. A successful request message means that your edits have been submitted successfully, but setting changes can still take time to propagate.
Last modified on 26 January, 2023
PREVIOUS
Configure webhook allow list using Splunk Web
  NEXT
Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209 (latest FedRAMP release)


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters