Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The search you ran returned a number of fields that exceeded the current indexed field extraction limit='200'

jbanAtSplunk
Communicator
‎12-08-2021 02:48 AM

The search you ran returned a number of fields that exceeded the current indexed field extraction limit='200'
To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index.

Hi,

I am getting above error while on the left side I have only 35-10 fields extracted during search time.
Log is ingested with Splunk HEC using Splunk_TA_nix with linux_secure stanza.

How can I detect what is causing above error as didn't find anything that will create indexed fields, etc...and I didn't see fields on the left created.

How to troubleshoot this?

With search like this, I got 11 fields
| walklex index="<index_name>" type=field
| search NOT field=" *"
| stats list(distinct_values) by field


Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...