Hi t_splunk_d, Update after feedback and some more research: This is a default setting in limits.conf related to the automatic kay value extraction of _raw maxchars = <integer> * Truncate _raw to this size and then do auto KV. * Default: 10240 characters After increasing this to a higher number I was able to use KV pairs after 10000 characters. Another reason could be the event truncation described below. this is not limit in the search, your data was truncated by Splunk. Splunk truncates by default events after 10000 bytes or characters, see the docs http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf for more details but here is the important part: TRUNCATE = <non-negative integer> * Change the default maximum line length (in bytes). * Although this is in bytes, line length is rounded down when this would otherwise land mid-character for multi-byte characters. * Set to 0 if you never want truncation (very long lines are, however, often a sign of garbage data). * Defaults to 10000 bytes. to change this, you need to set in props.conf a high truncate value for the source or sourcetype: [YourSourceTypeHere] TRUNCATE = a higher number than the maximum length of your events apply this on the parsing instance of Splunk (index or heavy weight forwarder), restart this instance and any new data will no longer be truncated. Hope this helps ... cheers, MuS ... View more

Hi xm_dreich, This is expected behaviour because within a search head cluster, certain setting options are hidden on purpose. Also apps in a search head cluster are managed using the search head cluster deployer. See the docs for more detail http://docs.splunk.com/Documentation/Splunk/latest/Admin/Deployappsandadd-ons#Search_head_clusters or http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/PropagateSHCconfigurationchanges Hope this helps ... cheers, MuS ... View more