# Version 9.2.2.20240415 # ############################################################################ # OVERVIEW ############################################################################ # DO NOT EDIT THIS FILE! # Changes to default files will be lost on update and are difficult to # manage and support. # # Please make any changes to system defaults by overriding them in # apps or $SPLUNK_HOME/etc/system/local # (See "Configuration file precedence" in the web documentation). # # To override a specific setting, copy the name of the stanza and # setting to the file where you wish to override it. # # This file configures various limits to the Splunk's search commands. # CAUTION: Do not alter the settings in limits.conf unless you know what # you are doing. # # Improperly configured limits may result in splunkd crashes and/or # memory overuse. # ############################################################################ # GLOBAL SETTINGS ############################################################################ [default] max_mem_usage_mb = 200 [searchresults] maxresultrows = 50000 # Maximum number of times to try in the atomic write operation # (1 = no retries) tocsv_maxretry = 5 # Retry period is 1/2 second (500 milliseconds) tocsv_retryperiod_ms = 500 compression_level = 1 [search_info] # These setting control logging of error messages to info.csv # All messages will be logged to search.log regardless of these settings. # maximum number of error messages to log in info.csv # Set to 0 to remove limit, may affect search performance max_infocsv_messages = 20 # log level = DEBUG | INFO | WARN | ERROR infocsv_log_level = INFO # Log warnings if search returns no results because user has no # permissions to search on queried indexes. show_warn_on_filtered_indexes = false # Log level of messages when search returns no results because user has # no permissions to search on queried indexes. filteredindexes_log_level = DEBUG [subsearch] # Maximum number of results to return from a subsearch. maxout = 10000 # Maximum number of seconds to run a subsearch before finalizing. maxtime = 60 # Time to cache a given subsearch's results. ttl = 300 ############################################################################ # SEARCH COMMAND ############################################################################ # This section contains the settings for the search command. # The settings are organized in subsections by type of setting. [search] ############################################################################ # Batch search ############################################################################ # This section contains settings for batch search. # Allow batch mode which searches in non-time order for certain classes # of searches. allow_batch_mode = true # When batch mode attempts to retry the search on a peer that failed wait # at least this many seconds. batch_retry_min_interval = 5 # When batch mode attempts to retry the search on a peer that failed wait # at most this many seconds. batch_retry_max_interval = 300 # After a retry attempt fails increase the time to wait before trying # again by this scaling factor. batch_retry_scaling = 1.5 # When in batch mode what is the max number of index values to read in # at one time. batch_search_max_index_values = 10000000 # Number of search pipelines created per batch search batch_search_max_pipeline = 1 # Default size of the aggregator queue to which all the search pipelines # dump the search results on the indexer. batch_search_max_results_aggregator_queue_size = 100000000 # Default size of the serialized results queue where all the serialized # results are kept before transmission. batch_search_max_serialized_results_queue_size = 100000000 ############################################################################ # Bundles ############################################################################ # This section contains settings for bundles and bundle replication. # Avoid loading remote bundles in splunkd. load_remote_bundles = false # Bundle replication file ttl. replication_file_ttl = 600 # The minimum bundle replication period. replication_period_sec = 60 # Whether bundle replication is synchronous (and thus blocking searches). sync_bundle_replication = auto # Bundle status expiry time bundle_status_expiry_time = 1hr ############################################################################ # Concurrency ############################################################################ # This section contains settings for search concurrency limits. # If 'total_search_concurrency_limit = auto', the total limit of concurrent # historical searches is # max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches. # The maximum number of concurrent historical searches in the search head. total_search_concurrency_limit = auto # The base number of concurrent historical searches. base_max_searches = 6 # Max real-time searches = max_rt_search_multiplier x max historical searches. max_rt_search_multiplier = 1 # The maximum number of concurrent historical searches per CPU. max_searches_per_cpu = 1 # Whether maximum number of concurrent searches are enforced cluster-wide # for admission of adhoc searches shc_adhoc_quota_enforcement = off ############################################################################ # Distributed search ############################################################################ # This section contains settings for distributed search connection # information. # Limit on the skew permitted when adding a search peer. # Peers with a skew larger than this will be rejected. addpeer_skew_limit = 600 # Defaults to download all remote logs other than saved search logs and # oneshot search logs. fetch_remote_search_log = disabledSavedSearches # Maximum size of the chunk queue. max_chunk_queue_size = 10000000 # Search results combiner maximum in-memory buffer size (in events). max_combiner_memevents = 50000 # Absolute value of largest time skew we will tolerate between the search # head and the peer (in seconds). max_tolerable_skew = 60 # Maximum number of worker threads in Round Robin policy. max_workers_searchparser = 5 # The minimum number of results blobs to keep for consumption by the # search head. results_queue_min_size = 10 # Corresponds to the size of the results queue in the dispatch fetch level result_queue_max_size = 100000000 # If all currently active peers have finished with the search wait this # many seconds before giving up on peers we are attempting to reconnect # to for a retry. results_queue_read_timeout_sec = 900 # by default we do not enable throttling remote_search_requests_throttling_type = disabled # By default, send user capabilities to the search peers. remote_search_requests_send_capabilities_list = true # By default, allow remote search execution even if the capability list is missing. remote_search_requests_reject_if_capabilities_list_absent = false ############################################################################ # Field stats ############################################################################ # This section contains settings for field statistics. # How often to update the field summary statistics, as a ratio to the # elapsed run time so far. fieldstats_update_freq = 0 # Maximum period for updating field summary statistics in seconds. fieldstats_update_maxperiod = 60 # The minimum frequency of a field displayed in the /summary endpoint. min_freq = 0.01 ############################################################################ # History ############################################################################ # This section contains settings for search history. # Enable search history? enable_history = true # Max number of searches to store in history # for each user/app, if search_history_storage_mode is csv; # for each user, if search_history_storage_mode is kvstore. max_history_length = 500 # Max time search history records to store in history (for each user). max_history_storage_retention_time = 90d # History storage search_history_storage_mode = csv ############################################################################ # Memory tracker ############################################################################ # This section contains settings for the memory tracker. # If memory tracker is disabled, search won't be terminated even if it # exceeds the memory limit. # By default memory tracking is disabled. enable_memory_tracker = false # Default value for percentage memory usage for the splunk search # process is set to 25%. search_process_memory_usage_percentage_threshold = 25 # Default value for memory usage for the Splunk search process is set to 4GB. search_process_memory_usage_threshold = 4000 ############################################################################ # Meta search ############################################################################ # This section contains settings for meta search. # Allow inexact metasearch? allow_inexact_metasearch = false ############################################################################ # Misc ############################################################################ # This section contains miscellaneous search settings. # Determines if the saved searches handler uses a removable cache use_removable_search_cache = true # Specifies after how long a paused search should be auto canceled, # in seconds. # 0 means do not auto cancel the paused search. auto_cancel_after_pause = 0 dispatch_dir_warning_size = 5000 # Enable concatenation of successively occurring evals into a single # comma separated eval during generation of data model searches. enable_datamodel_meval = true # Determines whether or not scoped conditional expansion of knowledge # objects occurs during search string expansion. This only applies on # the search head. # NOTE: Do not change unless instructed to do so by Splunk Support. enable_conditional_expansion = true # If true, always dispatch saved searches as the requesting user. # The default for dispatchAs in the savedsearches.conf.spec.in file # is 'owner'. force_saved_search_dispatch_as_user = false # Max length of custom job id when passing spawning new job. max_id_length = 150 # Specifies the maximum length of a generated or custom search job ID before # the Splunk software shortens the directory name. The search job ID itself # remains the same. max_id_length_before_hash = 230 # Specifies whether the Splunk software reruns all or elements of a currently # running search process when there are indexer failures in an indexer # clustering environment. search_retry = false # Sets how long, in seconds, 'search_retry' waits to get updated # indexer information. search_retry_waiting_time = 70 # Maximum number of attempts made to retry a historical search before failing # Only applied when search_retry is set to true search_retry_max_historical = 15 # Stack size of the search executing thread. stack_size = 4194304 # Use precomputed summaries if possible? summary_mode = all # Track indextime range of searches (shown in job inspector). track_indextime_range = true # By default use bloom filter. use_bloomfilter = true # By default use metadata elimination. use_metadata_elimination = true # Serialization format and compression algorithm used for search results results_serial_format = srs results_compression_algorithm = zstd # Record search telemetry in search_telemetry.json in the dispatch dir # The setting in telemetry.conf controls whether the data is sent back, # this setting controls whether we generate search telemetry data in the # dispatch dir. Search telemetry data is also put into _introspection. record_search_telemetry = true # Number of files to use as a threshold at which to stop adding more # files to var/run/splunk/search_telemetry for indexing search telemetry # data. This setting applies only to telemetry on the search head. search_telemetry_file_limit = 500 # Limit, in bytes, for each of the constituent components of the search # telemetry json representation search_telemetry_component_limit = 10000 # track of the number of events of each sourcetype that match a search track_matching_sourcetypes = true # timeout to launch a search job search_launch_timeout_seconds = 180 # timeout to initialize startup configuration, in milliseconds search_startup_config_timeout_ms = 3000 # maximum number of tracked search result sourcetypes to add to audit.log max_audit_sourcetypes = 100 use_search_evaluator_v2 = true # The maximum number of field metadata displayed in the /jobs/fieldmeta endpoint. max_fieldmeta_cnt_ui = 1000 ############################################################################ # Parsing ############################################################################ # This section contains settings related to parsing searches. # Max recursion depth for macros. # Considered a search exception if macro expansion does not stop after # this many levels. max_macro_depth = 100 # Max recursion depth for subsearch. # Considered a search exception if subsearch does not stop after # this many levels. max_subsearch_depth = 8 # The minimum length of a prefix before a * to ask the index about. min_prefix_len = 1 # When true, always search the lexicon for both field::val and val for # field=val searches, unless INDEXED=true is set for the field in # in fields.conf (in which case only field::val is searched) always_include_indexedfield_lispy = true # When set to true, we will scope every indexed field=val statement # with sourcetype and convert it to the indexed form (field::val) indexed_fields_expansion = true ############################################################################ # Preview ############################################################################ # This section contains settings for previews. # The maximum time to spend generating previews, as a fraction of total # search time. preview_duty_cycle = 0.25 ############################################################################ # Quota or queued searches ############################################################################ # This section contains settings for quota or queued searches. # Default setting for allowing async jobs to be queued if quota violation. default_allow_queue = true # The maximum number of times to retry to dispatch a search when the # quota has been reached. dispatch_quota_retry = 4 # Milliseconds between retrying to dispatch a search if a quota has been # reached. We retry the given number of times, with each successive wait # 2x longer than the previous. dispatch_quota_sleep_ms = 100 # Enforce cumulative role based quotas enable_cumulative_quota = false # how often to retry queued jobs (in seconds) queued_job_check_freq = 1 ############################################################################ # Reading chunk controls ############################################################################ # This section contains settings for reading chunk controls. # max_results_perchunk, min_results_perchunk, and target_time_perchunk # are multiplied by this for a long running search. chunk_multiplier = 5 # Time in seconds until a search is considered "long running”. long_search_threshold = 2 # Maximum raw size of results for each call to search (in dispatch). # 0 = no limit, not affected by chunk_multiplier. max_rawsize_perchunk = 100000000 # Maximum results per call to search (in dispatch). # Must be <= maxresultrows. max_results_perchunk = 2500 # Minimum results per call to search (in dispatch). # Must be <= max_results_perchunk. min_results_perchunk = 100 # Target duration of a particular call to fetch search results in ms. target_time_perchunk = 2000 ############################################################################ # Real-time ############################################################################ # This section contains settings for real-time searches. # For real-time searches in the UI, maximum number of events stored # (as a FIFO buffer). realtime_buffer = 10000 ############################################################################ # Remote storage ############################################################################ # This section contains settings for remote storage. # Maximum number of remote buckets to localize as a look-ahead on searches. bucket_localize_max_lookahead = 5 # Specifies which bucket prediction algorithm to use. bucket_predictor = consec_not_needed ############################################################################ # Results storage ############################################################################ # This section contains settings for storing final search results. # The maximum number of end results to store globally # (when status_buckets=0). max_count = 500000 # By default, no timeline information is retained. UI will supply the # status_buckets as needed. status_buckets = 0 # Truncate report output to max_count? truncate_report = false # Do we write multi-file results to results_dir? write_multifile_results_out = true # For event searches should we read final results from the timeliner read_final_results_from_timeliner = true # Field filters are turned off by default in the preview release. field_filters = false ############################################################################ # Search process ############################################################################ # This section contains settings for search process configurations. # Even if the search process has not been idle for the above time, check its # internal caches for stale data after this many searches. idle_process_cache_search_count = 8 # If a search process is idle for this many seconds, take the opportunity # to scan its internal caches for stale data. idle_process_cache_timeout = 0.5 # Periodically we'll check if we have too many idle search processes. # This controls how often that happens (in seconds). idle_process_reaper_period = auto # Inside a search process, keep up to this many compiled regex artifacts # before checking for stale ones. Normally the above idle_process_cache_* # settings will check for stale entries before this limit is hit. idle_process_regex_cache_hiwater = 2500 # When running a search, scan at most this many idle processes before # launching a new one. launcher_max_idle_checks = auto # Number of server threads dedicated to managing communication with # search processes. # Negative number means automatically pick a sensible value launcher_threads = -1 # Maximum number of preforked search processes that are idle # and wait for next search execution max_idle_process_count = auto # Memory (RSS) limit of a search process that can be idle and reusable, in KB # Number 0 is set to use the system default, 1024*1024 KB (1GB) # Negative number means no limit max_idle_process_memory = auto # The number of search processes constructing a pool to run searches, which is # dependent on system resources (CPU and memory) available to Splunk server # Number 0 is set to automatically pick a sensible value # Negative number means no limit max_search_process_pool = 2048 # When reaping idle search processes, allow one to be reaped if it is # not using the most recent configuration bundle, and its bundle has not # been used in at least this many seconds. max_old_bundle_idle_time = auto # On UNIX we can run more that one search per process. # Set this to a number greater than one to enable. max_searches_per_process = 500 # When running more than one search per process, limit the number of new # searches that can be started before allowing time to service the ones # that are already running max_searches_started_per_cycle = 30 # When running more than one search per process, don't allow a process to # accumulate more than this number of seconds running searches. Note that a # search can run longer than this without being terminated, it only prevents # the process from being used for another search max_time_per_process = auto # When running more than one search per process, do not reuse a process # if it is older than this number of seconds. This is different than # max_time_per_process because it includes time the process spent idle. process_max_age = 7200.0 # Don't reuse a process that last served a different user unless it has # been idle this long (in seconds). process_min_age_before_user_change = auto search_process_mode = auto # Whether to increase oom_score of search processes to make splunk more stable. search_process_configure_oom_score_adj = true # The value added to search process, ranging between 0 and 1000. # Only applies when 'search_process_configure_oom_score_adj' is set to true. search_process_set_oom_score_adj = 700 ############################################################################ # search_messages.log ############################################################################ # Specifies whether splunkd promotes user-facing search messages # from $SPLUNK_HOME/var/run/splunk/dispatch//info.csv to # $SPLUNK_HOME/var/log/splunk/search_messages.log. log_search_messages = true # When 'log_search_messages = true', this setting specifies the lowest # severity of message that splunkd logs to search_messages.log. # Splunkd ignores all messages with a lower severity. # Possible values in ascending order: DEBUG, INFO, WARN, ERROR search_messages_severity = WARN ############################################################################ # Search reuse ############################################################################ # This section contains settings for search reuse. ############################################################################ # Splunk Analytics for Hadoop ############################################################################ # This section contains settings for use with Splunk Analytics for Hadoop. # The maximum time to spend doing reduce, as a fraction of total search time. reduce_duty_cycle = 0.25 # The frequency with which try to reduce intermediate data when there is # a non-streaming and non-stateful streaming command. (0 = never) reduce_freq = 10 ############################################################################ # Status ############################################################################ # This section contains settings for search status. # The number of search job metadata to cache in RAM. status_cache_size = 10000 ############################################################################ # Timelines ############################################################################ # This section contains settings for timelines. # Size of thread pool for remote event download framework. remote_event_download_initialize_pool = 5 remote_event_download_finalize_pool = 5 remote_event_download_local_pool = 5 # Allow timeline to be map/reduced? remote_timeline = true # Whether to fetch all events accessible through the timeline from the # remote peers before the job is considered done. remote_timeline_fetchall = 1 # Minimum number of peers required to utilize remote timelining. remote_timeline_min_peers = 1 # How often to touch remote artifacts to keep them from being reaped # when search has not finished? (in seconds). remote_timeline_touchperiod = 300 # Timeouts for fetching remote timeline events. remote_timeline_connection_timeout = 5 remote_timeline_send_timeout = 10 remote_timeline_receive_timeout = 10 # In ms search_keepalive_frequency = 30000 # Maximum number of uninterrupted keepalives before the connection is closed. search_keepalive_max = 100 # Enable timeline preview timeline_events_preview = false ############################################################################ # TTL ############################################################################ # This section contains time to live (ttl) settings. # The length of time to persist search cache entries (in seconds). cache_ttl = 300 # How long jobs are saved for by default. default_save_ttl = 604800 # How long searches should be stored on disk once failed. failed_job_ttl = 86400 # How long should searches run for a search head live on the indexers. remote_ttl = 600 # How long searches should be stored on disk once completed. ttl = 600 # Timeout value for checking search marker files like hotbucketmarker or backfill # marker. check_search_marker_done_interval = 60 # Time interval of sleeping between subsequent search marker files checks. check_search_marker_sleep_interval = 1 # How long srtemp sub-directories should be kept before they are deleted srtemp_dir_ttl = 86400 ############################################################################ # Distributed search throttling ############################################################################ # This section contains settings for distributed search throttling (peers # side) information. [search_throttling::per_cpu] max_concurrent = 12 [search_throttling::physical_ram] min_memory_per_search = 134217728 ############################################################################ # OTHER COMMAND SETTINGS ############################################################################ # This section contains the stanzas for the SPL commands, except for the # search command, which is in a separate section. [anomalousvalue] maxresultrows = 50000 # Maximum number of distinct values for a field. maxvalues = 0 # Maximum size in bytes of any single value # (truncated to this size if larger). maxvaluesize = 0 [associate] maxfields = 10000 maxvalues = 0 maxvaluesize = 0 [autoregress] maxp = 10000 maxrange = 1000 [collect] # Setting for multivalue field representations in collect command. format_multivalue_collect = false # Setting for collect command to add quotation marks based on major breakers. collect_ignore_minor_breakers = false [concurrency] # Maximum concurrency level to keep record of. max_count = 10000000 [correlate] maxfields = 1000 [ctable] # This stanza contains settings for the contingency/ctable/counttable # command. maxvalues = 1000 [dbinspect] maxresultrows = 50000 [discretize] # This stanza contains settings for the bin/bucket/discretize command. maxbins = 50000 # if maxbins not specified or = 0, defaults to searchresults::maxresultrows [findkeywords] maxevents = 50000 [geostats] # At the lowest level of the tree, i.e. ZL=0 (when we are zoomed out to # the world level ), what is the size of each gridcell in terms of latitude # and longitude (degrees)? # Valid values for zl_0_gridcell_latspan are from 0 to 180.0, and # for zl_0_gridcell_longspan are from 0 to 360.0. # Rest of the zoom level gridcell sizes are auto-tuning, i.e. will # reduce by a factor of 2 at each additional level. zl_0_gridcell_latspan = 22.5 zl_0_gridcell_longspan = 45.0 # Configures the filtering/search strategy for events on the map. # Currently experimental. filterstrategy = 2 # How many levels of clustering will be done in geostats. maxzoomlevel = 9 [inputcsv] # Maximum number of retries for creating a tmp directory (with random # name in SPLUNK_HOME/var/run/splunk). mkdir_max_retries = 100 [join] # The join command subsearch is restricted by two settings, 'subsearch_maxout' # and the 'maxresultrows' setting in the [searchresults] stanza. subsearch_maxout = 50000 subsearch_maxtime = 60 [kmeans] maxdatapoints = 100000000 maxkvalue = 1000 maxkrange = 100 [lookup] # Maximum size of static lookup file to use a in-memory index for. max_memtable_bytes = 26214400 # Maximum size of static lookup file to use when using a lookup() # eval function in the ingest context # Defaults to 10MB ingest_max_memtable_bytes = 10485760 # Period of time after which we should refresh in-memory lookup # tables being used with lookup() eval function at ingest time. ingest_lookup_refresh_period_secs = 60 # Maximum reverse lookup matches (for search expansion). max_reverse_matches = 50 # Default setting for if non-memory file lookups (for large files) # should batch queries. # Can be overridden using a lookup table's stanza in transforms.conf. batch_index_query = true # When doing batch request, what's the most matches to retrieve? # If more than this limit of matches would otherwise be retrieved, # we will fall back to non-batch mode matching. batch_response_limit = 5000000 # Maximum number of lookup error messages that should be logged. max_lookup_messages = 20 # time to live for an indexed csv indexed_csv_ttl = 300 # keep alive token file period indexed_csv_keep_alive_timeout = 30 # max time for the CSV indexing indexed_csv_inprogress_max_timeout = 300 # whether we want to error on invalid lookups or let them proceed. input_errors_fatal = false # Should KV Store lookups be indexed at time of bundle replication? enable_splunkd_kv_lookup_indexing = true [metadata] maxresultrows = 10000 # The most metadata results to fetch from each indexer. maxcount = 100000 bucket_localize_max_lookahead = 10 [metric_alerts] condition_evaluation_interval = 1 search_delay = 15s+ search_ttl = 2p honor_action = false [msearch] chunk_size = 1000 target_per_timeseries = 5 [mvcombine] max_mem_usage_mb = 500 [mvexpand] max_mem_usage_mb = 500 [outputlookup] # Specifies if the outputlookup command should check if the user # has write permission on the lookup file. # The permission is set in the .meta file. outputlookup_check_permission = false # Specifies the context where the lookup file will be created for the first time. create_context = app [rare] maxresultrows = 50000 # Maximum distinct value vectors to keep track of. maxvalues = 0 maxvaluesize = 0 [rest] allow_reload = false [set] maxresultrows = 50000 [sort] # maximum number of concurrent files to open maxfiles = 64 [spath] # Number of characters to read from an XML or JSON event when # auto extracting. extraction_cutoff = 5000 extract_all = true [stats] max_keymap_rows = 1000000 maxresultrows = 50000 maxvalues = 0 maxvaluesize = 0 # For streamstats's maximum window size. max_stream_window = 10000 # For rdigest, used to approximate order statistics (median, percentiles). rdigest_k = 100 rdigest_maxnodes = 1 tdigest_k = 50 tdigest_max_buffer_size = 1000 tmpfile_compression = lz4 tmpfile_compression_level = 0 perc_digest_type = tdigest list_maxsize = 100 min_chunk_size_kb = 64 max_chunk_size_kb = 4096 chunk_size_double_every = 100 # Determines whether to return results for searches with time-sensitive # aggregations and missing or invalid timestamps in input events. check_for_invalid_time = false [sistats] max_keymap_rows = 1000000 maxvalues = 0 maxvaluesize = 0 rdigest_k = 100 rdigest_maxnodes = 1 tdigest_k = 50 tdigest_max_buffer_size = 1000 perc_digest_type = tdigest max_valuemap_bytes = 100000 [top] maxresultrows = 50000 # Maximum distinct value vectors to keep track of. maxvalues = 0 maxvaluesize = 0 [transactions] # Maximum number of open transaction or events in open. # Transaction before transaction eviction happens. maxopentxn = 5000 maxopenevents = 100000 [tscollect] # Default value of 'squashcase' arg if not specified by the command. squashcase = false # Default value of 'keepresults' arg if not specified by the command. keepresults = false # The max allowed size of tsidx files to create in megabytes. # ’0’ implies no limit optimize_max_size_mb = 256 [tstats] # Whether we apply role-based search filters when users run tstats # on normal index data (never applied on data from tscollect or # data model acceleration). apply_search_filter = true # Default value of 'summariesonly' arg if not specified by the command. summariesonly = false # Default value of 'allow_old_summaries' arg if not specified # by the command. allow_old_summaries = false # By default we retrieve up to ten million events at once from a # TSIDX file when answering queries. chunk_size = 10000000 # By default, do not include non-numeric values when applying # searches that filter on numeric values. include_events_omitted_when_filtering_numeric_values = false # Number of search pipelines created per batch search batch_search_max_pipeline = 1 # Should tstats use bloomfilters to eliminate buckets use_bloomfilter = true update_datamodel_usage_stats = true [mstats] time_bin_limit = 1000000 # Should mstats use bloomfilters to eliminate buckets use_bloomfilter = true [typeahead] maxcount = 1000 max_servers = 2 fetch_multiplier = 50 use_cache = true cache_ttl_sec = 300 min_prefix_length = 1 max_concurrent_per_user = 3 banned_segments = [typer] # In eventtyping, pay attention to first N characters of any # attribute (e.g., _raw), including individual tokens. Can be # overridden by supplying the typer operator with the argument. # maxlen (e.g. "|typer maxlen=300"). maxlen = 10000 [xyseries] max_mem_usage_mb = 200 ############################################################################ # GENERAL ############################################################################ # This section contains the stanzas for a variety of general settings. [auto_summarizer] cache_timeout = 600 maintenance_period = 1800 return_actions_with_normalized_ids = fromcontext normalized_summaries = true detailed_dashboard = true shc_accurate_access_counts = false disable_transparent_mode_federation = false [http_input] # The max number of tokens reported by logging input metrics. max_number_of_tokens = 10000 # The interval (in seconds) of logging input metrics report. metrics_report_interval = 60 # The max request content length (800MB, to match HTTP server). max_content_length = 838860800 # The max number of ACK channels. max_number_of_ack_channel = 1000000 # The max number of acked requests pending query. max_number_of_acked_requests_pending_query = 10000000 # The max number of acked requests pending query per ACK channel. max_number_of_acked_requests_pending_query_per_ack_channel = 1000000 [indexpreview] # Maximum number of bytes to read from each file during preview. max_preview_bytes = 2000000 # Maximum number of results to emit per call to preview data generator. max_results_perchunk = 2500 # Loosely-applied maximum on number of preview data objects held in memory. soft_preview_queue_size = 100 [inputproc] # Threshold size (in mb) to trigger fishbucket rolling to a new db. file_tracking_db_threshold_mb = 500 # Approximate ceiling on source types & fingerprints in learned app. learned_sourcetypes_limit = 1000 # Maximum size (in mb) of heap allowed to be created by Splunk modular # input MonitorNoHandle. monitornohandle_max_heap_mb = 0 [kv] # When non-zero, the point at which kv should stop creating new columns. maxcols = 512 # Maximum number of keys auto kv can generate. # Set this value to 0 to not impose any limit on auto kv limit and indexed kv limit. limit = 100 # Maximum number of key-value pairs that can be extracted at index time. # Set this value to 0 to not impose any limit on indexed kv limit. indexed_kv_limit = 200 # Truncate _raw to to this size and then do auto KV. maxchars = 10240 max_extractor_time = 1000 avg_extractor_time = 500 [kvstore] # The max number of accelerations that can be assigned to a single collection. # Valid values range from 0 to 50 max_accelerations_per_collection = 10 # The max number of fields that can be part of an acceleration. # Valid values range from 0 to 30 max_fields_per_acceleration = 10 # The max number of rows that will be returned per query. max_rows_per_query = 50000 # The max number of queries that can be run as part of the same batch. max_queries_per_batch = 1000 # The max size of a query result in MB. max_size_per_result_mb = 50 # The max size of a batch save operation in MB. max_size_per_batch_save_mb = 50 # The max number of documents of a batch save operation. max_documents_per_batch_save = 1000 # The max size of a batched query result in MB. max_size_per_batch_result_mb = 100 # The max number of rows in memory before flushing them to CSV projection. max_rows_in_memory_per_dump = 200 # The max number of threads to use for outputlookup. max_threads_per_outputlookup = 1 [kvstore_migration] # The interval in seconds at which the status of KV Store migration or # KV Store upgrade is polled for search head cluster members. periodic_timer_interval = 10 # The maximum number of intervals that a search head cluster member's # failed status can remain unchanged during KV Store migration or upgrade. max_failed_status_unchanged_count = 30 [input_channels] max_inactive = auto lowater_inactive = auto inactive_eligibility_age_seconds = 330 [ldap] # Maximum number of users we will attempt to precache from LDAP after # reloading auth. max_users_to_precache = 1000 # Controls whether we allow login when we find multiple entries with the # same value for the username attribute. allow_multiple_matching_users = true [metrics] # The number of series to include in the per_x_thruput reports in # metrics.log. maxseries = 10 # 30 seconds metrics logging interval [tcpin_connections] interval = 30 [thruput:thruput] interval = 30 [thruput:index_thruput] interval = 30 [queue] interval = 30 [dutycycle] interval = 30 [search_concurrency] interval = 30 [searchscheduler] interval = 30 [executor] interval = 30 [jobs] interval = 30 [search_pool] interval = 30 [smartbus] interval = 30 [pipeline_lb_cpu-stashparsing] interval = 120 [pipeline_agg_cpu-stashparsing] interval = 120 [pipeline_lb_cpu-parsing] interval = 120 [pipeline_mp_cpu-parsing] interval = 120 [pipeline_agg_cpu-merging] interval = 120 [pipeline_msp_cpu-typing] interval = 120 [pipeline:regexextractionprocessor-stashparsing] interval = 120 [pipeline:regexextractionprocessor-typing] interval = 120 [pipeline:regexextractionprocessor-ruleset] interval = 120 [metrics:tcpin_connections] # Keep each connection metrics. aggregate_metrics = false # Keep _tcp_Bps, _tcp_KBps, _tcp_avg_thruput, _tcp_Kprocessed that can # be derived from kb. suppress_derived_info = false [pdf] # The max number of rows that the pdfgen rendering engine (not PDF Report # Server app) will render for any individual table or event listing. max_rows_per_table = 1000 # The number of seconds after which the pdfgen render endpoint will timeout # if it has not yet finished rendering the PDF output. render_endpoint_timeout = 3600 # The number of seconds after which the Chromium engine will timeout if the # engine still needs to render the dashboard output. # This setting does not impact the render_chromium_screenshot_delay. render_chromium_timeout = 30 # The number of seconds after which the Chromium engine takes a screenshot # of a dashboard to render before exporting the dashboard. # This setting does not impact the render_chromium_timeout setting. render_chromium_screenshot_delay = 0 [restapi] # Maximum result rows to be return by /events or /results getters from # REST API. maxresultrows = 50000 # Regex constraint on time_format and output_time_format for search # endpoints. time_format_reject = [<>!] # Truncate the properties over this length in the contents dictionary # of a job entry from the jobs endpoint. # 0 means don't truncate. jobscontentmaxcount = 0 # Determines whether we want to hard error for REST command searches restprocessor_errors_fatal = false # The maximum number of persistent processes that EAI custom REST handlers can create to serve REST API calls in persistent mode. max_persistent_connections = 3000 [realtime] # Default options for indexer support of real-time searches. # These can all be overridden for a single search via REST API arguments. # Size of queue for each real-time search. queue_size = 10000 # Should indexer block if a queue is full? blocking = false # Maximum time to block if the queue is full. # Meaningless if blocking = false. max_blocking_secs = 60 # Should the indexer prefilter events for efficiency? indexfilter = true # Should real-time windowed searches backfill with historical data by default? default_backfill = true # Should real-time windowed searches sort events to be in descending time order? enforce_time_order = true # Should we use indexedRealtime by default? indexed_realtime_use_by_default = false # Number of seconds to wait for disk flushes to finish with # indexed/continuous/pseudo realtime search. indexed_realtime_disk_sync_delay = 60 # Minimum seconds to wait between component index searches during an # indexed realtime search. indexed_realtime_default_span = 1 # Max number of seconds allowed to fall behind realtime before we drop data # and reset back to the default span from realtime. indexed_realtime_maximum_span = 0 # Frequency to fetch updated bucket list. indexed_realtime_update_interval = 30 # This limits the frequency that we will trigger alerts during a # realtime search. alerting_period_ms = 0 [rex] match_limit = 100000 depth_limit = 1000 [reversedns] # Max percent of time allowed for reverse dns lookups for incoming # forwarder connections before WARN is logged in splunkd.log. # Sanity check diagnostic for slow lookups. rdnsMaxDutyCycle = 10 [scheduler] # Uses a separate thread to fetch scheduled and auto summarize saved searches # asynchronously. async_saved_search_fetch = true # The interval at which scheduled and auto summarize saved searches # will be fetched asynchronously. async_saved_search_interval = 30 # The interval at which scheduled saved searches will be evaluated for # admission rules asynchronously. async_admission_eval_interval = 600 saved_searches_disabled = false # The maximum number of searches the scheduler can run, as a percentage # of the maximum number of concurrent searches. max_searches_perc = 50 # Fraction of concurrent scheduler searches to use for auto summarization. auto_summary_perc = 50 # Every search should run as soon possible after its next scheduled time. # However, each is penalized by its average runtime thus allowing # shorter-running searches to run sooner and not potentially starve. # # However, since many searches run in fractions of a second and the # priority type is integral and based on seconds, adding a raw runtime is # too small to alter the result. Therefore, we scale the runtime. priority_runtime_factor = 10 # A potential issue with the priority_runtime_factor is that now # longer-running searches may get starved. To balance this out, make a # search's priority lower (better) the more times it has been skipped. # # The adjustment should be normalized by the search's period, i.e., an # infrequent search that has been skipped should get a lower (better) score # than a frequent search that has been skipped the same number of times. # # Eventually, this adjustment will outweigh any worse priority due to a long # runtime. The priority_skipped_factor controls how quickly this happens. priority_skipped_factor = 1 # The amount of time, in seconds, to delay retrying a scheduled search that # failed to dispatch (usually due to hitting concurrency limits). dispatch_retry_delay = 0 # The maximum number of minutes to defer running continuous scheduled searches # while waiting for the KV Store to come up in order to load historical data. # This is used to prevent gaps in continuous scheduled searches when splunkd # was down. # # Use [] to specify a duration; a missing defaults to 1. # Relevant units are: s, sec, second, secs, seconds, m, min, minute, mins, # minutes. # For example: "60s" = 60 seconds, "5m" = 5 minutes. search_history_load_timeout = 2m # The number of runtimes kept for each search that are used to calculate the # historical average runtime during search prioritization. search_history_max_runtimes = 10 # The maximum amount of time to run missed continuous scheduled searches for # once Splunk comes back up in the event it was down. # # Use [] to specify a duration; a missing defaults to 1. # Relevant units are: min, minute, mins, minutes, h, hr, hour, hrs, hours, d, # day, days, w, week, weeks, mon, month, months. # For example: "5m" = 5 minutes, "1h" = 1 hour. # # A value of 0 means no lookback. max_continuous_scheduled_search_lookback = 24h # The amount of time to "look back" when reporting introspection statistics. # For example: what is the number of dispatched searches in the last 60 minutes? # # Use [] to specify a duration; a missing defaults to 1. # Relevant units are: m, min, minute, mins, minutes, h, hr, hour, hrs, hours, # d, day, days, w, week, weeks. # For example: "5m" = 5 minutes, "1h" = 1 hour. introspection_lookback = 1h # Maximum number of results to load when triggering an action. max_action_results = 50000 action_execution_threads = 10 actions_queue_size = 500 actions_queue_timeout = 30 alerts_max_count = 50000 alerts_max_history = 7d alerts_expire_period = 120 persistence_period = 30 # Maximum number of lock files to keep around for each scheduled search. # Effective only if search head pooling is enabled, the most recent files # are kept. max_lock_files = 5 # The lock file reaper should clean lock files that are this old (in seconds). max_lock_file_ttl = 86400 max_per_result_alerts = 500 scheduled_view_timeout = 60m # Scheduler timeout for printing a throttled warning message # if we're hitting scheduler concurrency limits. concurrency_message_throttle_time = 10m # By default the scheduler should not run jobs on itself in search head # pooling mode. It should dispatch to pool members. shp_dispatch_to_member = true # In 6.3 and beyond Search Head Clustering has implemented role quota # enforcement. Set this to true to enable this feature. shc_role_quota_enforcement = false shc_syswide_quota_enforcement = false [search_metrics] # Add more detail to the per-search metrics. debug_metrics = false [show_source] # Maximum events retrievable by show source. max_count = 10000 max_timebefore = 1day max_timeafter = 1day distributed = true # Maximum events we will request in the distributed show source. # Likely all of these will not be used. distributed_search_limit = 30000 [slc] # Maximum number of clusters to create. maxclusters = 10000 [slow_peer_disconnect] # Settings for the heuristic that will detect and disconnect slow peers # towards the end of a search that has returned a large volume of data. disabled = true # is this feature enabled. # Defaults to true batch_search_activation_fraction = 0.9 # The fraction of peers that must have completed before we start disconnecting. # This is only applicable to batch search because the slow peers will not hold # back the fast peers. # Defaults to 0.9 packets_per_data_point = 500 # Rate statistics will be sampled once every packets_per_data_point packets. sensitivity = 0.3 # Sensitivity of the heuristic to newer values. For larger values of # sensitivity the heuristic will give more weight to newer statistic. grace_period_before_disconnect = 0.10 # If the heuristic consistently claims that the peer is slow for at least # *life_time_of_collector seconds then only # will we disconnect the peer. threshold_data_volume = 100 # The volume of uncompressed data that must have accumulated in KB from # a peer before we consider them in the heuristic. threshold_connection_life_time = 5 # All peers will be given an initial grace period of at least these many # seconds before we consider them in the heuristic. bound_on_disconnect_threshold_as_fraction_of_mean = 0.2 # If network is too homogenous resulting in very low standard deviations # this value may be tweaked to ensure that the thresholds we set are not # too close to the mean. If threshold is an upper bound # threshold >= mean*(1+bound_on_threshold) and if the threshold is a # lower bound threshold <= mean*(1-bound_on_threshold). # The actual threshold is computed during the search based on the mean # and std. deviations of network statistics. [summarize] poll_buckets_until_maxtime = false bucket_refresh_interval = 30 bucket_refresh_interval_cluster = 120 auto_finalize_secs_after_maxtime = 300 [system_checks] insufficient_search_capabilities = enabled orphan_searches = enabled installed_files_integrity = enabled installed_files_integrity_interval = 12h # See limits.conf.spec file for details. [thruput] # Throughput limiting at index time. maxKBps = 0 [viewstates] # Is the viewstate reaper enabled? enable_reaper = true # How often does the reaper run? reaper_freq = 86400 # How many viewstates does the reaper consider "acceptable"? reaper_soft_warn_level = 1000 # Teaper eligibility age. ttl = 86400 [scheduled_views] enable_reaper = true reaper_freq = 86400 ############################################################################ # OPTIMIZATION ############################################################################ # This section contains global and specific optimization settings [search_optimization] enabled = true [search_optimization::search_expansion] enabled = true [search_optimization::replace_append_with_union] enabled = true [search_optimization::merge_union] enabled = true [search_optimization::insert_redistribute_command] enabled = true [search_optimization::predicate_split] enabled = true [search_optimization::predicate_push] enabled = true [search_optimization::predicate_merge] enabled = true inputlookup_merge = true merge_to_base_search = true [search_optimization::projection_elimination] enabled = true [search_optimization::required_field_values] enabled = true fields = eventtype, tag [search_optimization::search_flip_normalization] enabled = true [search_optimization::reverse_calculated_fields] enabled = true [search_optimization::search_sort_normalization] enabled = true [search_optimization::eval_merge] enabled = true [search_optimization::replace_table_with_fields] enabled = true [search_optimization::replace_stats_cmds_with_tstats] enabled = true detect_search_time_field_collisions = true [search_optimization::replace_datamodel_stats_cmds_with_tstats] enabled = true [search_optimization::replace_chart_cmds_with_tstats] enabled = true detect_search_time_field_collisions = true [search_optimization::set_required_fields] stats = false [directives] required_tags = enabled required_eventtypes = enabled read_summary = enabled [parallelreduce] # The maximum number of valid indexers that can be used as intermediate # reducers in the reducing phase of a parallel reduce operation. maxReducersPerPhase = 20 # The percentage of valid indexers that can be selected from the search peers # as intermediate reducers for a parallel reduce search operation. winningRate = 50 # Timeout value setting to ensure that adequate time is provided for indexers and intermediate indexers to get paired rdinPairingTimeout = 30 # The percentage of search queries to run as prjob in total traffic. autoAppliedPercentage = 0 # Use parallel reduce processing to improve the performance of qualifying # ad-hoc searches. autoAppliedToAdhocSearches = false # The maximum amount of preview cache memory usage allowed for parallel reduce # search, in MB. maxPreviewMemUsageMb = 100 # Feature flag: preview for parallel reduce enablePreview = true # The list of commands that will not utilize parallel reduce disabledCommandList = addinfo [rollup] # Threshold on lowest rollup interval allowed minSpanAllowed = 300 [mcollect] # Sets the output format from mcollect to use single value format always. always_use_single_value_output = true [auth] enable_install_apps = false [segmenter] use_segmenter_v2 = true [watchdog] stack_files_ttl = 7d stack_files_removal_period = 1h [ingest_actions] rfs.provider.rawdata_limit_mb = 1024 rfs.provider.max_workers = 4 rfsS3DestinationOff = false [spl2] origin = all