indexed_kv_limit Error

surejsajeev · ‎05-17-2021

I am running a query to parse a two-level nested JSON that takes out only the second level dict and puts it in the form of a column. The query works perfectly. However, when I run it, I get this error message from Splunk

This is the query

"The search you ran returned a number of fields that exceeded the current indexed field extraction limit. To ensure that all fields are extracted for search, set limits.conf: [kv] / indexed_kv_limit to a number that is higher than the number of fields contained in the files that you index."

Could you advise on how I can resolve this issue, please? I am not sure of the no of fields that my query will generate. Any dynamic limit that I can see?

Your help is much appreciated.

ITWhisperer · ‎05-17-2021

Increase the limit is limits.conf or try this https://community.splunk.com/t5/Splunk-Search/mvexpand-limits/m-p/549178

indexed_kv_limit Error

search job inspector

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

indexed_kv_limit Error

search job inspector

table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future