Splunk Cloud Platform

Splunk Cloud:Extracted fields limit?

splunk_luis12
Path Finder

Hi folks,

I'm using Splunk Cloud and I'm getting only 200 fields extracted or less.

After checking limits.conf it seems like it can be increased, but not sure If I can modify it by myself.

So these are my questions: 

  • Can I increase it using ACS?
  • Is this a global change or can it be apply to a specific index?
  • What is the limit for this setting? It does not specify it in the limits.conf
  • Lastly, can I have performance issues by setting it to 0 or increasing it a lot?

Thanks in advance!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

That setting cannot be changed using ACS so you'll have to submit a support request.  See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Config/ManageLimits

limits.conf is global.  It affects all indexes and all apps.

The maximum value is unpublished so we don't know how high it can go.  Consider submitting documentation feedback to ask Splunk to include that information.

Yes, you absolutely can have performance issues by indexing a lot of fields.  It's one of the reasons Splunk discourages index-time field extraction.  Search-time field extraction offers more flexibility in how fields are extracted and doesn't take up storage space like index-time extraction does.  Also, the limits.conf setting for search-time extraction, limit, can be set using ACS.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

That setting cannot be changed using ACS so you'll have to submit a support request.  See https://docs.splunk.com/Documentation/SplunkCloud/9.0.2209/Config/ManageLimits

limits.conf is global.  It affects all indexes and all apps.

The maximum value is unpublished so we don't know how high it can go.  Consider submitting documentation feedback to ask Splunk to include that information.

Yes, you absolutely can have performance issues by indexing a lot of fields.  It's one of the reasons Splunk discourages index-time field extraction.  Search-time field extraction offers more flexibility in how fields are extracted and doesn't take up storage space like index-time extraction does.  Also, the limits.conf setting for search-time extraction, limit, can be set using ACS.

---
If this reply helps you, Karma would be appreciated.

splunk_luis12
Path Finder

Thanks for your response.

I found in this documentation the following:

* The Splunk platform always uses the higher value for either setting to enforce index-time field extraction limits. 

*If you set 'indexed_kv_limit' to "200" and 'limit' to "500", then the platform limits both index-time and search-time field extraction to 500.

So it means that if I increase the 'limit' value via ACS ( which seems to be possible) then the 'indexed_kv_limit' value will increase as well right?

Also, can I increase this value in a ITSI SH using ACS?

I appreciate any insight. Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's a good find in the docs.  I agree that changing limit to 500 should also change indexed_kv_limit to 500.

Yes, you should be able to change setting on the ITSI SH using ACS.

I still encourage you to re-think the idea of indexing so many fields.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...