Manage limits.conf configurations in Splunk Cloud Platform
The Admin Config Service (ACS) API supports self-service management of limits.conf
configurations, which is useful for optimizing search performance on your Splunk Cloud Platform deployment. You can use the ACS API to edit, view, and reset select limits.conf
settings programmatically, without assistance from Splunk Support.
You can also configure select limits.conf
settings using the Splunk Web UI. For more information, see Configure limits in the Splunk Cloud Platform Admin Manual.
Requirements
To manage limits.conf
configurations using the ACS API:
- Your role must have the capabilities required to access the ACS API endpoint. The
sc_admin
role has all required capabilities by default. For a list of required capabilities, see Manage ACS API access with capabilities. - You must have Splunk Cloud Platform version 8.2.2203 or higher.
- Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
- Your deployment must have one or more separate search heads or a search head cluster. ACS is not supported on single instance deployments.
Changing limits.conf settings can affect the performance of your Splunk Cloud Platform deployment.
Set up the ACS API
Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also create a JWT authentication token in Splunk Cloud Platform for use with ACS endpoint requests. For details on how to set up the ACS API for app management, see Set up the ACS API.
Manage limits.conf configurations using the ACS API
This section shows you how to view, edit, and reset select limits.conf
settings using the ACS API.
The following table shows editable limits.conf
settings by stanza, with minimum, maximum, and default values:
Stanza | Setting | Description | Values (min/max/default) |
---|---|---|---|
[join] | subsearch_maxout | The maximum number of result rows to output from subsearch to join against. | "minValue": 0 "maxValue": 100000 |
subsearch_maxtime | Maximum search time, in seconds, before auto-finalization of subsearch. | "minValue": 0 "maxValue": 120 | |
[kv] | maxchars | Truncate _raw to this size and then do auto KV. | "minValue": 1 "maxValue": 20480 |
limit | The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. | "minValue": 1 "maxValue": 200 | |
maxcols | When non-zero, the point at which kv stops creating new fields. | "minValue": 256 "maxValue": 2048 | |
[pdf] | max_rows_per_table | The maximum number of rows that will be rendered for a table within integrated PDF rendering. | "minValue": 500 "maxValue": 5000 |
[scheduler] | max_per_result_alerts | Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. | "minValue": 250 "maxValue": 5000 |
max_per_result_alerts_time | Maximum amount of time, in seconds, to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. | "minValue": 150 "maxValue": 1800 | |
[searchresults] | maxresultrows | Maximum number of events generated by search commands | "minValue": 0 "maxValue": 1000000 |
[spath] | extraction_cutoff | For 'extract-all' spath extraction mode, this setting applies extraction only to the first <integer> number of bytes. This setting applies both the auto kv extraction and the spath command, when explicitly extracting fields. | "minValue": 2500 "maxValue": 2000000 |
[subsearch] | maxout | Maximum number of results to return from a subsearch. | "minValue": 0 "maxValue": 10400 |
maxtime | Maximum number of seconds to run a subsearch before finalizing | "minValue": 0 "maxValue": 120 |
All editable limits.conf
settings are reloadable.
For more information on limits.conf
settings, see limits.conf in the Splunk Enterprise Admin Manual.
View all limits.conf settings
To list the current configuration of all editable limits.conf
settings, send an HTTP GET request to the limits
endpoint. For example:
curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits \ -H "Authorization: Bearer <token>"
The request returns a list of all editable limits.conf
stanzas and their corresponding values. For example:
[{"Stanza":"join","Values":{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}},{"Stanza":"kv","Values":{"limit":"100","maxchars":"182"}},{"Stanza":"subsearch","Values":{"maxout":"10000","maxtime":"60"}}]
For endpoint details, see limits in the ACS endpoint reference.
Edit limits.conf settings
To edit limits.conf settings, send an HTTP POST request to the limits/{stanza}
endpoint, specifying the name of the limits.conf
stanza in the request URL, and the setting name and updated value in the request body. For example:
curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/join' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "settings": { "subsearch_maxout": 91519, "subsearch_maxtime": 111 } }'
A successful request returns the settings and their updated values, with 202 status code, indicating the request was accepted, but the configuration update is still in progress due to the asynchronous ACS API. For example:
{"settings":{"subsearch_maxout":91519,"subsearch_maxtime":111}}
To confirm that your limits.conf
update is complete, send an HTTP GET request to the limits/{stanza}
endpoint, until the updated settings values appear in the output. See View a specific limits.conf stanza.
Invalid request responses
If your request contains a non-existent or uneditable stanza or setting, ACS returns an invalid response. For example:
{"code":"403-forbidden","message":"not allowed to access setting <invalid stanza>"}
If your request contains out-of-bounds setting value, ACS returns an invalid response. For example:
{"code":"403-forbidden","message":"request value 11111111111111.000000 outside of bounds min: 0.000000, max: 120.000000"}
If your request contains a non-integer setting value, ACS returns an invalid response. For example:
{"code":"403-forbidden","message":"Values provided must be positive integers"}
For endpoint details, see limits/{stanza} in the ACS endpoint reference.
View a specific limits.conf stanza
To view the current configuration of a specific limits.conf
stanza, send an HTTP GET request to the limits/{stanza}
endpoint, specifying the name of the stanza. For example:
curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/join \ -H "Authorization: Bearer <token>"
The request returns a list of all editable settings and their values in the stanza. For example:
{"subsearch_maxout":"91519","subsearch_maxtime":"111", "subsearch_timeout":"120"}
The GET request for a specific stanza returns only editable settings in that stanza.
For endpoint details, see limits/{stanza} in the ACS endpoint reference.
View a specific limits.conf setting
To view the configuration of a specific limits.conf
setting under a specific stanza, send an HTTP GET request to the limits/{stanza}/{setting}
endpoint, specifying the name of the stanza and the setting. For example:
curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/join/subsearch_maxout \ -H "Authorization: Bearer <token>"
The request returns the specified setting and its current value. For example:
{"subsearch_maxout":"91519"}
For endpoint details, see limits/{stanza}/{setting} in the ACS endpoint reference.
View default values for settings in all stanzas
To view all supported stanzas along with with default values for each setting within the stanza, send an HTTP GET request to the /limits/defaults
endpoint. For example:
curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/defaults \ -H "Authorization: Bearer <token>"
The request returns a list of all supported stanzas along with the default value for each setting within the stanza:
[ { "stanza": "join", "settings": [ { "setting": "subsearch_maxout", "minValue": 0, "maxValue": 100000, "defaultValue": 50000 }, { "setting": "subsearch_maxtime", "minValue": 0, "maxValue": 120, "defaultValue": 60 }, { "setting": "subsearch_timeout", "minValue": 0, "maxValue": 240, "defaultValue": 120 } ] }, ... ]
For endpoint details, see limits/defaults in the ACS endpoint reference.
View default values for settings in a specific stanza
To view default values for settings within a specific stanza, send an HTTP GET request to the /limits/{stanza}/defaults
endpoint. For example:
curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/subsearch/defaults \ -H "Authorization: Bearer <token>"
The request returns a list of default values for settings with the specified stanza. For example:
{ "stanza": "subsearch", "settings": [ { "setting": "maxout", "minValue": 0, "maxValue": 10400, "defaultValue": 10000 }, { "setting": "maxtime", "minValue": 0, "maxValue": 120, "defaultValue": 60 } ] }
For endpoint details, see limits/{stanza}/defaults in the ACS endpoint reference.
Restore default values for all limits.conf settings under a specific stanza
To restore the default values for all editable limits.conf
settings under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset
endpoint, specifying the name of the stanza in the request URL. For example:
curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/join/reset' \ --header 'Authorization: Bearer <token>'
A successful request returns all editable settings in the stanza, with their default values restored. For example:
{"settings":{"subsearch_maxout":50000,"subsearch_maxtime":60,"subsearch_timeout":120}}
If your request contains an invalid or uneditable stanza, ACS returns a "not allowed to access stanza" message. For example:
{"code":"403-forbidden","message":"not allowed to access stanza <invalid stanza>"}
For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.
Restore default values for specific limits.conf settings under a specific stanza
To restore default values for a specific set of editable limits.conf
settings under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset
endpoint, specifying the name of the stanza in the request URL, and the names of the settings in the request body. For example:
curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/join/reset' \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --data-raw '{ "settings": [ "subsearch_maxout", "subsearch_timeout" ] }'
A successful request returns the specific settings in the stanza, with their default values restored. For example:
{"settings":{"subsearch_maxout":50000,"subsearch_timeout":120}}
If your request contains one or more uneditable or invalid settings, ACS returns a "not allowed to access setting" message. For example:
{"code":"403-forbidden","message":"not allowed to access setting <invalid settings>"}
If even a single specified setting is invalid, ACS will reject the request.
For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.
Manage DDSS self storage locations | Manage private apps in Splunk Cloud Platform |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!