Splunk Cloud Platform

Admin Config Service Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage limits.conf configurations in Splunk Cloud Platform

The Admin Config Service (ACS) API supports self-service management of limits.conf configurations, which is useful for optimizing search performance on your Splunk Cloud Platform deployment. You can use the ACS API to edit, view, and reset select limits.conf settings programmatically, without assistance from Splunk Support.

Requirements

To manage limits.conf configurations using the ACS API:

  • You must have the sc_admin role.
  • You must have Splunk Cloud Platform version 8.2.2203.
  • Your Splunk Cloud Platform deployment must be on Victoria Experience. See Determine your Splunk Cloud Platform Experience.
  • Your deployment must have one or more separate search heads or a search head cluster. ACS is not supported on single instance deployments.

The ACS API does not currently support AWS GovCloud or FedRAMP environments.

Changing limits.conf settings can affect the performance of your Splunk Cloud Platform deployment.

Set up the ACS API

Before using the ACS API, you must download the ACS Open API 3.0 specification, which includes the parameters, codes, and other data you need to work with the ACS API. You must also create a JWT authentication token in Splunk Cloud Platform for use with ACS endpoint requests. For details on how to set up the ACS API for app management, see Set up the ACS API.

Manage limits.conf configurations using the ACS API

This section shows you how to view, edit, and reset select limits.conf settings using the ACS API.

The following table shows editable limits.conf settings by stanza, with minimum, maximum, and default values:

Stanza Setting Description Values (min/max/default)
[join] subsearch_maxout The maximum number of result rows to output from subsearch to join against. "minValue": 0

"maxValue": 100000
"defaultValue": 50000

subsearch_maxtime Maximum search time, in seconds, before auto-finalization of subsearch. "minValue": 0

"maxValue": 120
"defaultValue": 60

subsearch_timeout Maximum time, in seconds, to wait for subsearch to fully finish. "minValue": 0

"maxValue": 240
"defaultValue": 120

[kv] maxchars Truncate _raw to this size and then do auto KV. "minValue": 0

"maxValue": 20480
"defaultValue": 10240

limit The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. "minValue": 0

"maxValue": 200
"defaultValue": 100

maxcols When non-zero, the point at which kv stops creating new fields. "minValue": 256

"maxValue": 2048
"defaultValue": 512

[pdf] max_rows_per_table The maximum number of rows that will be rendered for a table within integrated PDF rendering. "minValue": 500

"maxValue": 5000
"defaultValue": 1000

[scheduler] max_per_result_alerts Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. "minValue": 250

"maxValue": 5000
"defaultValue": 500

max_per_result_alerts_time Maximum amount of time, in seconds, to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts). Only applies in non-digest mode alerting. "minValue": 150

"maxValue": 1800
"defaultValue": 300

[searchresults] maxresultrows Maximum number of events generated by search commands "minValue": 0

"maxValue": 1000000
"defaultValue": 50000

[spath] extraction_cutoff For 'extract-all' spath extraction mode, this setting applies extraction only to the first <integer> number of bytes. This setting applies both the auto kv extraction and the spath command, when explicitly extracting fields. "minValue": 2500

"maxValue": 2000000
"defaultValue": 5000

[subsearch] maxout Maximum number of results to return from a subsearch. "minValue": 0

"maxValue": 10400
"defaultValue": 10000

maxtime Maximum number of seconds to run a subsearch before finalizing "minValue": 0

"maxValue": 120
"defaultValue": 60

All editable limits.conf settings are reloadable.

For more information on limits.conf settings, see limits.conf in the Splunk Enterprise Admin Manual.

View all limits.conf settings

To list the current configuration of all editable limits.conf settings, send an HTTP GET request to the limits endpoint. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits \
-H "Authorization: Bearer <token>"

The request returns a list of all editable limits.conf stanzas and their corresponding values. For example:

[{"Stanza":"join","Values":{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}},{"Stanza":"kv","Values":{"limit":"100","maxchars":"182"}},{"Stanza":"subsearch","Values":{"maxout":"10000","maxtime":"60"}}]

For endpoint details, see limits in the ACS endpoint reference.

Edit limits.conf settings

To edit limits.conf settings, send an HTTP POST request to the limits/{stanza} endpoint, specifying the name of the limits.conf stanza in the request URL, and the setting name and updated value in the request body. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "settings": {
        "subsearch_maxout": 91519,
        "subsearch_maxtime": 111
    }
}'

A successful request returns the settings and their updated values, with 202 status code, indicating the request was accepted, but the configuration update is still in progress due to the asynchronous ACS API. For example:

{"settings":{"subsearch_maxout":91519,"subsearch_maxtime":111}}

To confirm that your limits.conf update is complete, send an HTTP GET request to the limits/{stanza} endpoint, until the updated settings values appear in the output. See View a specific limits.conf stanza.

Invalid request responses

If your request contains a non-existent or uneditable stanza or setting, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"not allowed to access setting <invalid stanza>"}

If your request contains out-of-bounds setting value, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"request value 11111111111111.000000 outside of bounds min: 0.000000, max: 120.000000"}

If your request contains a non-integer setting value, ACS returns an invalid response. For example:

{"code":"403-forbidden","message":"Values provided must be positive integers"}

For endpoint details, see limits/{stanza} in the ACS endpoint reference.

View a specific limits.conf stanza

To view the current configuration of a specific limits.conf stanza, send an HTTP GET request to the limits/{stanza} endpoint, specifying the name of the stanza. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza} \
-H "Authorization: Bearer <token>"

The request returns a list of all editable settings and their values in the stanza. For example:

{"subsearch_maxout":"91519","subsearch_maxtime":"111","subsearch_timeout":"120"}

The GET request for a specific stanza returns only editable settings in that stanza.

For endpoint details, see limits/{stanza} in the ACS endpoint reference.

View a specific limits.conf setting

To view the configuration of a specific limits.conf setting under a specific stanza, send an HTTP GET request to the limits/{stanza}/{setting} endpoint, specifying the name of the stanza and the setting. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/{setting} \
-H "Authorization: Bearer <token>"

The request returns the specified setting and its current value. For example:

{"subsearch_maxout":"91519"}

For endpoint details, see limits/{stanza}/{setting} in the ACS endpoint reference.

View default values for settings in all stanzas

To view all supported stanzas along with with default values for each setting within the stanza, send an HTTP GET request to the /limits/defaults endpoint. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/defaults \
-H "Authorization: Bearer <token>"

The request returns a list of all supported stanzas along with the default value for each setting within the stanza:

[
	{
		"stanza": "join",
		"settings": [
			{
				"setting": "subsearch_maxout",
				"minValue": 0,
				"maxValue": 100000,
				"defaultValue": 50000
			},
			{
				"setting": "subsearch_maxtime",
				"minValue": 0,
				"maxValue": 120,
				"defaultValue": 60
			},
			{
				"setting": "subsearch_timeout",
				"minValue": 0,
				"maxValue": 240,
				"defaultValue": 120
			}
		]
	},
    ...
]

For endpoint details, see limits/defaults in the ACS endpoint reference.

View default values for settings in a specific stanza

To view default values for settings within a specific stanza, send an HTTP GET request to the /limits/{stanza}/defaults endpoint. For example:

curl -X GET https://admin.splunk.com/{stack}/adminconfig/v2/limits/subsearch/defaults \
-H "Authorization: Bearer <token>"

The request returns a list of default values for settings with the specified stanza. For example:

{
	"stanza": "subsearch",
	"settings": [
		{
			"setting": "maxout",
			"minValue": 0,
			"maxValue": 10400,
			"defaultValue": 10000
		},
		{
			"setting": "maxtime",
			"minValue": 0,
			"maxValue": 120,
			"defaultValue": 60
		}
	]
}

For endpoint details, see limits/{stanza}/defaults in the ACS endpoint reference.

Reset all limits.conf settings under a specific stanza

To reset all editable limits.conf setting values under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset endpoint, specifying the name of the stanza in the request URL. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/reset' \
--header 'Authorization: Bearer <token>'

A successful request returns all editable settings in the stanza with their reset default values. For example:

{"settings":{"subsearch_maxout":50000,"subsearch_maxtime":60,"subsearch_timeout":120}}

If your request contains an invalid or uneditable stanza, ACS returns a "not allowed to access stanza" message. For example:

{"code":"403-forbidden","message":"not allowed to access stanza <invalid stanza>"}

For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.

Reset specific limits.conf settings under a specific stanza

To reset a specific set of editable limits.conf settings under a specific stanza, send an HTTP POST request to the limits/{stanza}/reset endpoint, specifying the name of the stanza in the request URL, and the names of the settings in the request body. For example:

curl --location --request POST 'https://admin.splunk.com/{stack}/adminconfig/v2/limits/{stanza}/reset' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "settings": [
        "subsearch_maxout", "subsearch_timeout"
    ]
}'

A successful request returns the specific settings in the stanza, reset to their default values. For example:

{"settings":{"subsearch_maxout":50000,"subsearch_timeout":120}}

If your request contains one or more uneditable or invalid settings, ACS returns a "not allowed to access setting" message. For example:

{"code":"403-forbidden","message":"not allowed to access setting <invalid settings>"}

If even a single specified setting is invalid, ACS will reject the request.

For endpoint details, see limits/{stanza}/reset in the ACS endpoint reference.

Last modified on 22 September, 2022
PREVIOUS
Manage indexes in Splunk Cloud Platform
  NEXT
Manage private apps in Splunk Cloud Platform

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2203, 9.0.2205, 9.0.2208


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters