×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
manthantsarwade
New Member
Member since: ‎12-12-2025
‎12-14-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-12-2025
Activity Feed
View All

Re: KV limit in limits.conf

by in Splunk Enterprise
‎12-14-2025 09:34 PM
‎12-14-2025 09:34 PM
Hi @PrewinThomas, Thank you for the response.😄 As you mentioned that the KV limit does not apply when KV_MODE=json, we validated this during our internal testing and observed that more than 200 fields are being extracted successfully. However, on the client side, the same fields are not being extracted consistently. We are trying to understand if there are stricter limits or additional restrictions on other Splunk platforms, such as Splunk Victoria or Splunk Cloud. Regarding indexed_extractions, we understand that it still has a limit of 200 fields. In our case, the events are highly dynamic (containing arrays and deeply nested structures) and can reach 250+ fields in some scenarios. The client also mentioned that their detection rules are failing because the fields are not being extracted. Since detection rules operate at search time, would it be feasible for them to use spath within their detection rules so that the required fields are extracted at search time and become available for detection logic? Please let us know your thoughts or if there are any recommended best practices for handling this scenario in Splunk Cloud or other environments. ... View more

KV limit in limits.conf

by in Splunk Enterprise
‎12-12-2025 03:46 AM
‎12-12-2025 03:46 AM
Hi, We develop a Splunk app that ingests JSON events with 150+ fields. Our props.conf uses: [our_sourcetype] KV_MODE = json TRUNCATE = 0 Customer Issue: A customer reports that fields beyond ~100 are not being extracted, causing their detection rules to fail silently.  They believe the [kv] limit = 100 in limits.conf is causing field truncation. For the workaround and time being they have increased it to 200. Constraints: Customer cannot increase [kv] limits due to CPU/performance concerns. Writing regex-based extractions for 100+ nested/array fields is not maintainable. We cannot modify the JSON structure at the source. Is there a supported way to ensure full JSON extraction without raising KV limits? Is there any recommended pattern for handling complex nested JSON arrays in extraction? Please guide me what could be the best possible solution. Also does the 100 field limit in [kv] stanza apply to KV_MODE = json, or only to KV_MODE = auto? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-14-2025 09:21 PM