Splunk Cloud Platform

Splunk Cloud Platform Admin Manual

Configure limits using Splunk Web

Splunk Cloud Platform supports self-service configuration of select limits.conf settings, which can be useful for optimizing search performance. You can use the Configure limits page in Splunk Web to view and edit limits.conf settings, without assistance from Splunk Support.

Alternatively, you can configure limits.conf settings programmatically using the Admin Config Service (ACS) API. For more information, see Manage limits.conf configurations in Splunk Cloud Platform in the Admin Config Service Manual.

Requirements

To configure limits.conf using Splunk Web:

  • You must have the sc_admin role.
  • You must have the edit_limits_conf capability. The sc_admin role includes this capability by default.
  • You must have Splunk Cloud Platform version 9.0.2209 or higher.
  • Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
  • Automatic UI updates and token authentication must be enabled for your deployment.
  • Your deployment must have one or more separate search heads or a search head cluster.

The Configure limits UI does not currently support AWS GovCloud or FedRAMP environments.

Changing limits.conf settings can affect the performance of your Splunk Cloud Platform deployment.

View and edit limits.conf settings

This section shows you how to view and edit select limits.conf settings using Splunk Web.

The table shows editable limits.conf settings by stanza, with minimum, maximum, and default values:

Stanza Setting Description Values (min/max/default)
[join] subsearch_maxout The maximum number of result rows to output from subsearch to join against. "minValue": 0

"maxValue": 100000
"defaultValue": 50000

subsearch_maxtime Maximum search time, in seconds, before auto-finalization of subsearch. "minValue": 0

"maxValue": 120
"defaultValue": 60

[kv] maxchars Truncate _raw to this size and then do auto KV. A value of 0 means that no truncation occurs. "minValue": 1

"maxValue": 20480
"defaultValue": 10240

limit The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. "minValue": 1

"maxValue": 200
"defaultValue": 100

maxcols When non-zero, the point at which kv stops creating new fields. "minValue": 256

"maxValue": 2048
"defaultValue": 512

[pdf] max_rows_per_table The maximum number of rows that will be rendered for a table within integrated PDF rendering. "minValue": 500

"maxValue": 5000
"defaultValue": 1000

[scheduler] max_per_result_alerts Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. "minValue": 250

"maxValue": 5000
"defaultValue": 500

max_per_result_alerts_time Maximum amount of time, in seconds, to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. "minValue": 150

"maxValue": 1800
"defaultValue": 300

[searchresults] maxresultrows Maximum number of events generated by search commands "minValue": 0

"maxValue": 1000000
"defaultValue": 50000

[spath] extraction_cutoff For 'extract-all' spath extraction mode, this setting applies extraction only to the first <integer> number of bytes. This setting applies both the auto kv extraction and the spath command, when explicitly extracting fields. "minValue": 2500

"maxValue": 2000000
"defaultValue": 5000

[subsearch] maxout Maximum number of results to return from a subsearch. "minValue": 0

"maxValue": 10400
"defaultValue": 10000

maxtime Maximum number of seconds to run a subsearch before finalizing "minValue": 0

"maxValue": 120
"defaultValue": 60

All editable limits.conf settings are reloadable.

For more detailed information on each of the supported limits.conf settings, see Limits.conf in the Splunk Enterprise Admin Manual.

Enable automatic UI updates and token authentication

Before you can access and use the Configure limits page in Splunk Web, you must enable automatic UI updates and token authentication for your deployment.

To enable automatic UI updates:

  1. In Splunk Web, select Settings > Automatic UI updates.
  2. Set the switch to enable automatic UI updates.
  3. Select Save.

After you enable automatic UI updates the Configure Limits menu option appears under Settings > Server settings.

To enable token authentication:

  1. In Splunk Web, select Settings > Tokens > Token Settings.
  2. Set the Token Authentication switch to Enabled.

You can also find the Token Settings page through the interactive search bar.

Configure limits.conf settings

To view, edit, or reset limits.conf settings using Splunk Web:

  1. Select Settings > Server settings.
  2. Edit one or more of the available limits.conf settings values.
  3. Select Save. A successful request message means that your edits have been submitted successfully, but setting changes can still take time to propagate.
Last modified on 01 November, 2024
Configure webhook allow list using Splunk Web   Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters