<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Automatic Lookup and  indexed_kv_limit limit reached ? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/537147#M90034</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/182927"&gt;@Rodelanuit&lt;/a&gt;&amp;nbsp;did you manage to resolve the lookup issue?&lt;/P&gt;</description>
    <pubDate>Tue, 26 Jan 2021 00:32:12 GMT</pubDate>
    <dc:creator>_varied</dc:creator>
    <dc:date>2021-01-26T00:32:12Z</dc:date>
    <item>
      <title>Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521024#M88047</link>
      <description>&lt;P&gt;Hello,&lt;/P&gt;&lt;P&gt;I'm looking for details on indexed_kv_limit parameter following an upgrade from 7.x to 8.x.&lt;/P&gt;&lt;P&gt;After an upgrade, I saw a warning message from my indexers saying :&amp;nbsp;&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;The search you ran returned a number of fields that exceeded the current indexed field extraction limit. To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index.&lt;/LI-CODE&gt;&lt;P&gt;When I inspect the job, I noticed many lookup are loaded by&amp;nbsp;&lt;STRONG&gt;AutoLookupDriver &lt;/STRONG&gt;not related to my sourcetype.&amp;nbsp;These lookup are configured by various TA (palo alto, cisco et c....).&lt;/P&gt;&lt;P&gt;After, the lookup loading, I noticed more than 400 fields appears in &lt;STRONG&gt;Final required field list&lt;/STRONG&gt;.&lt;/P&gt;&lt;P&gt;Are Fields required related to lookup loaded ? &lt;EM&gt;(from my understanding : yes)&lt;/EM&gt;&lt;/P&gt;&lt;P&gt;However, I don't understand why the search doesn't limit the lookup to the sourcetype of the logs. Is-it possible to limit these loading ?&lt;/P&gt;&lt;P&gt;Regards.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 23 Sep 2020 11:01:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521024#M88047</guid>
      <dc:creator>Rodelanuit</dc:creator>
      <dc:date>2020-09-23T11:01:42Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521029#M88048</link>
      <description>&lt;P&gt;Automatic lookups are configured based on sourcetype. They are applied only to data which is matching with their configured sourcetype.&lt;/P&gt;&lt;P&gt;&lt;SPAN class="mw-headline"&gt;&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Limitsconf" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/Limitsconf&lt;/A&gt;&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN class="mw-headline"&gt;[kv]&lt;/SPAN&gt;&lt;/P&gt;&lt;PRE&gt;avg_extractor_time = &amp;lt;integer&amp;gt;
* Maximum amount of CPU time, in milliseconds, that the average (over search
  results) execution time of a key-value pair extractor will be allowed to take
  before warning. Once the average becomes larger than this amount of time a
  warning will be issued
* Default: 500 (.5 seconds)

limit = &amp;lt;integer&amp;gt;
* The maximum number of fields that an automatic key-value field extraction
  (auto kv) can generate at search time.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
  'linecount', 'splunk_server', and 'splunk_server_group' do not count against
  this limit and will always be returned.
* Increase this setting if, for example, you have data with a large
  number of columns and want to ensure that searches display all fields extracted
  from an automatic key-value field (auto kv) configuration.
* Set this value to 0 if you do not want to limit the number of fields
  that can be extracted at index time and search time.
* Default: 100

indexed_kv_limit = &amp;lt;integer&amp;gt;
* The maximum number of fields that can be extracted at index time from a data source.
* Fields that can be extracted at index time include default fields, custom fields,
  and structured data header fields.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype', 'linecount',
  'splunk_server', and 'splunk_server_group' do not count against this limit and are
  always returned.
* Increase this setting if, for example, you have indexed data with a large
  number of columns and want to ensure that searches display all fields from
  the data.
* Set this value to 0 if you do not want to limit the number of fields
  that can be extracted at index time.
* Default: 200&lt;/PRE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 23 Sep 2020 11:32:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521029#M88048</guid>
      <dc:creator>thambisetty</dc:creator>
      <dc:date>2020-09-23T11:32:03Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521034#M88049</link>
      <description>&lt;P&gt;I'm aware of limits.conf file, however, i would like to try to resolve my lookup issue instead of rising the limit.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;When, I inspect the search.log file, I noticed all lookup are loaded :&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-action
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-dest_interface_name
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-facility_categories
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-icmp_code
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-messages
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-severity
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-cisco_ios-src_interface_name
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_analytics_traps
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_aperture
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_config
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_config_traps
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_hipmatch
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_system_traps
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_threat_traps
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_info_for_pan_traps4
09-23-2020 13:45:43.293 INFO  AutoLookupDriver - Will use Lookup: LOOKUP-vendor_traffic_action&lt;/LI-CODE&gt;</description>
      <pubDate>Wed, 23 Sep 2020 11:49:27 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521034#M88049</guid>
      <dc:creator>Rodelanuit</dc:creator>
      <dc:date>2020-09-23T11:49:27Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521035#M88050</link>
      <description>&lt;P&gt;I have automatic lookups but I am not seeing AutoLookupDriver. But I am seeing like below:&lt;/P&gt;&lt;PRE&gt;09-23-2020 11:57:17.664 INFO  CsvDataProvider - Reading schema for lookup table='identity_lookup_default_fields', file size=21, modtime=1572594789&lt;/PRE&gt;</description>
      <pubDate>Wed, 23 Sep 2020 11:58:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521035#M88050</guid>
      <dc:creator>thambisetty</dc:creator>
      <dc:date>2020-09-23T11:58:37Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521048#M88054</link>
      <description>&lt;P&gt;After looking into my other indexes, i noticed the same lookup are always selected but the number of&amp;nbsp;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN&gt;command.search.kv doesn't seem linked (and so the limit indexed_kv_limit is not triggered).&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;I will continue my debug :).&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Wed, 23 Sep 2020 12:34:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521048#M88054</guid>
      <dc:creator>Rodelanuit</dc:creator>
      <dc:date>2020-09-23T12:34:19Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521064#M88057</link>
      <description>&lt;P&gt;I checked release notes and saw a known issue in 8.0.3 :&lt;/P&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;2020-04-24&lt;/TD&gt;&lt;TD&gt;SPL-186424, SPL-185211&lt;/TD&gt;&lt;TD&gt;indexed_kv_limit related warning messages&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;I'm in 8.0.6, so normally, i'm not affected by this issue, but for the moment, didn't see anything else which could explain my issue.&lt;/P&gt;</description>
      <pubDate>Wed, 23 Sep 2020 13:40:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/521064#M88057</guid>
      <dc:creator>Rodelanuit</dc:creator>
      <dc:date>2020-09-23T13:40:21Z</dc:date>
    </item>
    <item>
      <title>Re: Automatic Lookup and  indexed_kv_limit limit reached ?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/537147#M90034</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/182927"&gt;@Rodelanuit&lt;/a&gt;&amp;nbsp;did you manage to resolve the lookup issue?&lt;/P&gt;</description>
      <pubDate>Tue, 26 Jan 2021 00:32:12 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Automatic-Lookup-and-indexed-kv-limit-limit-reached/m-p/537147#M90034</guid>
      <dc:creator>_varied</dc:creator>
      <dc:date>2021-01-26T00:32:12Z</dc:date>
    </item>
  </channel>
</rss>

