Configure limits using Splunk Web
Splunk Cloud Platform supports self-service configuration of select limits.conf settings, which can be useful for optimizing search performance. You can use the Configure limits page in Splunk Web to view and edit limits.conf settings, without assistance from Splunk Support.
Alternatively, you can configure limits.conf settings programmatically using the Admin Config Service (ACS) API. For more information, see Manage limits.conf configurations in Splunk Cloud Platform in the Admin Config Service Manual.
Requirements
To configure limits.conf
using Splunk Web:
- You must have the
sc_admin
role. - You must have the
edit_limits_conf
capability. Thesc_admin
role includes this capability by default. - You must have Splunk Cloud Platform version 9.0.2209 or higher.
- Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
- Automatic UI updates and token authentication must be enabled for your deployment.
- Your deployment must have one or more separate search heads or a search head cluster.
The Configure limits UI does not currently support AWS GovCloud or FedRAMP environments.
Changing limits.conf settings can affect the performance of your Splunk Cloud Platform deployment.
View and edit limits.conf settings
This section shows you how to view and edit select limits.conf
settings using Splunk Web.
The table shows editable limits.conf
settings by stanza, with minimum, maximum, and default values:
Stanza | Setting | Description | Values (min/max/default) |
---|---|---|---|
[join] | subsearch_maxout | The maximum number of result rows to output from subsearch to join against. | "minValue": 0 "maxValue": 100000 |
subsearch_maxtime | Maximum search time, in seconds, before auto-finalization of subsearch. | "minValue": 0 "maxValue": 120 | |
[kv] | maxchars | Truncate _raw to this size and then do auto KV. A value of 0 means that no truncation occurs. | "minValue": 1 "maxValue": 20480 |
limit | The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. | "minValue": 1 "maxValue": 200 | |
maxcols | When non-zero, the point at which kv stops creating new fields. | "minValue": 256 "maxValue": 2048 | |
[pdf] | max_rows_per_table | The maximum number of rows that will be rendered for a table within integrated PDF rendering. | "minValue": 500 "maxValue": 5000 |
[scheduler] | max_per_result_alerts | Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. | "minValue": 250 "maxValue": 5000 |
max_per_result_alerts_time | Maximum amount of time, in seconds, to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. | "minValue": 150 "maxValue": 1800 | |
[searchresults] | maxresultrows | Maximum number of events generated by search commands | "minValue": 0 "maxValue": 1000000 |
[spath] | extraction_cutoff | For 'extract-all' spath extraction mode, this setting applies extraction only to the first <integer> number of bytes. This setting applies both the auto kv extraction and the spath command, when explicitly extracting fields. | "minValue": 2500 "maxValue": 2000000 |
[subsearch] | maxout | Maximum number of results to return from a subsearch. | "minValue": 0 "maxValue": 10400 |
maxtime | Maximum number of seconds to run a subsearch before finalizing | "minValue": 0 "maxValue": 120 |
All editable limits.conf
settings are reloadable.
For more detailed information on each of the supported limits.conf settings, see Limits.conf in the Splunk Enterprise Admin Manual.
Enable automatic UI updates and token authentication
Before you can access and use the Configure limits page in Splunk Web, you must enable automatic UI updates and token authentication for your deployment.
To enable automatic UI updates:
- In Splunk Web, select Settings > Automatic UI updates.
- Set the switch to enable automatic UI updates.
- Select Save.
After you enable automatic UI updates the Configure Limits menu option appears under Settings > Server settings.
To enable token authentication:
- In Splunk Web, select Settings > Tokens > Token Settings.
- Set the Token Authentication switch to Enabled.
You can also find the Token Settings page through the interactive search bar.
Configure limits.conf settings
To view, edit, or reset limits.conf settings using Splunk Web:
- Select Settings > Server settings.
- Edit one or more of the available limits.conf settings values.
- Select Save. A successful request message means that your edits have been submitted successfully, but setting changes can still take time to propagate.
Configure webhook allow list using Splunk Web | Manage HTTP Event Collector (HEC) tokens in Splunk Cloud Platform |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!