I have a distributed multisite architecture, with a single Search Head, 2 indexers and, 2 Forwarders a Cluster Master, all in 7.3.3
I have to change some values in
limits.conf to increase the number of extracted fields.
Where I have to change the value? In all machines? Only in the Cluster Master? Only in the Search Head? In the Search Head and in the indexers?
I have read a lot of threads, and a lot of docs, but this is not explicitly documented, or i have not found it.
Thanks in advance and sorry if this is a "noob" question, it's my first time 🙂
Thanks! One more question...
My problem is that when I run a search in the raw data I see fields than I don't see in the extracted fields, and i can't search for a specific value in these fields.
I think that changing the limit.conf file, I will be able to search for a specific value in this fields. Is it correct?
Thanks again, @manjunathmeti !
By default splunk extract first 100 fields from raw data at search time OR 200 at index time based on KV_MODE setting. If your data has more than 200 fields and KV_MODE set to none for source/sourcetype then increase kv limit value on limits.conf on indexers, else increase it on search heads.