Splunk Enterprise Security

Where I have to configure limits.conf in a distributed environment?

miguelangelclem
Explorer

Hi all,

I have a distributed multisite architecture, with a single Search Head, 2 indexers and, 2 Forwarders a Cluster Master, all in 7.3.3

I have to change some values in limits.conf to increase the number of extracted fields.

Where I have to change the value? In all machines? Only in the Cluster Master? Only in the Search Head? In the Search Head and in the indexers?

I have read a lot of threads, and a lot of docs, but this is not explicitly documented, or i have not found it.

Thanks in advance and sorry if this is a "noob" question, it's my first time 🙂

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

If you are increasing the number of extracted fields before indexing then you need to put limits.conf on indexer servers.

View solution in original post

manjunathmeti
SplunkTrust
SplunkTrust

If you are increasing the number of extracted fields before indexing then you need to put limits.conf on indexer servers.

miguelangelclem
Explorer

Thanks! One more question...

My problem is that when I run a search in the raw data I see fields than I don't see in the extracted fields, and i can't search for a specific value in these fields.

I think that changing the limit.conf file, I will be able to search for a specific value in this fields. Is it correct?

Thanks again, @manjunathmeti !

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

By default splunk extract first 100 fields from raw data at search time OR 200 at index time based on KV_MODE setting. If your data has more than 200 fields and KV_MODE set to none for source/sourcetype then increase kv limit value on limits.conf on indexers, else increase it on search heads.

https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Limitsconf#.5Bkv.5D

0 Karma

miguelangelclem
Explorer

Nice, @manjunathmeti. Thanks a lot.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...