Even though I have overwritten what I believe is this limit in limits.conf,
btool is showing,
[show_source]
max_count = 50000
distributed_search_limit = 30000
distributed = true
The error message displays 10k rather than 50k.
Is this a bug as in the parameter is not being respected, or a bug as in the message not displaying the value Splunk is enforcing ?
Any recommendation on how to allow to check the source for
1st, know your limits:
http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Limitsconf
limits.conf settings and DISTRIBUTED SEARCH
Unlike most settings which affect searches, limits.conf settings are not
provided by the search head to be used by the search peers. This means that if
you need to alter search-affecting limits in a distributed environment, typically
you will need to modify these settings on the relevant peers and search head for
consistent results.
2nd, tell us your architecture. If you only have 1 server, my answer above is null and void.
3rd, as mentioned there is a configuration file precedence issue possibly. See the following:
http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Wheretofindtheconfigurationfiles
1st, know your limits:
http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Limitsconf
limits.conf settings and DISTRIBUTED SEARCH
Unlike most settings which affect searches, limits.conf settings are not
provided by the search head to be used by the search peers. This means that if
you need to alter search-affecting limits in a distributed environment, typically
you will need to modify these settings on the relevant peers and search head for
consistent results.
2nd, tell us your architecture. If you only have 1 server, my answer above is null and void.
3rd, as mentioned there is a configuration file precedence issue possibly. See the following:
http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Wheretofindtheconfigurationfiles
Thanks jkat54.
That makes sense, will push these changes to the Indexer cluster then.
There's no configuration file precedence issue as confirmed by btool, set this up in a specific App to exclusively target limits.conf (thus taking predence over system/{default,local})
number 1 should help you then! Thanks for marking the answer.
Try to do that in local/limits.conf and restart splunk after that if not done already