Splunk Search

The search you ran returned a number of fields that exceeded the current indexed field extraction limit='200'

jbanAtSplunk
Path Finder

The search you ran returned a number of fields that exceeded the current indexed field extraction limit='200'
To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index.

Hi,

I am getting above error while on the left side I have only 35-10 fields extracted during search time.
Log is ingested with Splunk HEC using Splunk_TA_nix with linux_secure stanza.

How can I detect what is causing above error as didn't find anything that will create indexed fields, etc...and I didn't see fields on the left created.

How to troubleshoot this?

With search like this, I got 11 fields
| walklex index="<index_name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field


Labels (2)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!