Docs » Splunk Log Observer Connect » Log Observer Connect limits

Log Observer Connect limits πŸ”—

This page documents Splunk Log Observer Connect service limits and behavior. System protection limits are meant to allow for stability and availability of multi-tenant systems and are subject to fine-tuning and change without notice.

Log Observer Connect search query limits πŸ”—

The following table lists Log Observer Connect’s search query limits:

Limit name

Default limit value

Maximum number of saved search queries

1,000

Maximum number of logs processed for fields summary

150,000

Maximum number of saved search queries πŸ”—

This is the maximum number of saved search queries that can be created in an organization.

What happens when the limit is hit? πŸ”—

The user experience might degrade and is not guaranteed to be functional.

Maximum number of logs processed for the fields summary πŸ”—

The Log Observer Connect UI displays a summary of fields and their value distribution. By default, it processes the most recent 150,0000 events to generate this view.

What happens when the limit is hit? πŸ”—

If the search results contain more than 150,000 events, then only the latest 150,000 events are processed.

Other limits πŸ”—

Each Log Observer Connect user is also subject to the limits of their Splunk platform role. A user can only access Splunk platform resources that their Splunk platform role allows them to access. See About configuring role-based user access for more information.

This page was last updated on Oct 02, 2023.