# Version 9.2.2.20240415 # ############################################################################ # OVERVIEW ############################################################################ # This file contains descriptions of the settings that you can use to # configure limitations for the search commands. # # Each stanza controls different search commands settings. # # There is a limits.conf file in the $SPLUNK_HOME/etc/system/default/ directory. # Never change or copy the configuration files in the default directory. # The files in the default directory must remain intact and in their original # location. # # To set custom configurations, create a new file with the name limits.conf in # the $SPLUNK_HOME/etc/system/local/ directory. Then add the specific settings # that you want to customize to the local configuration file. # For examples, see limits.conf.example. You must restart the Splunk instance # to enable configuration changes. # # To learn more about configuration files (including file precedence) see the # documentation located at # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # # About Distributed Search # Unlike most settings which affect searches, limits.conf settings are not # provided by the search head to be used by the search peers. This means # that if you need to alter search-affecting limits in a distributed # environment, typically you will need to modify these settings on the # relevant peers and search head for consistent results. # ############################################################################ # GLOBAL SETTINGS ############################################################################ # Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of # the file. # * Each .conf file should have at most one default stanza. If there are # multiple default stanzas, settings are combined. In the case of # multiple definitions of the same setting, the last definition in the # file takes precedence. # * If a setting is defined at both the global level and in a specific # stanza, the value in the specific stanza takes precedence. # # CAUTION: Do not alter the settings in the limits.conf file unless you know # what you are doing. Improperly configured limits might result in # splunkd crashes, memory overuse, or both. [default] DelayArchiveProcessorShutdown = * Specifies whether during splunk shutdown archive processor should finish processing archive file under process. * When set to "false": The archive processor abandons further processing of the archive file and will process again from start again. * When set to "true": The archive processor will complete processing of the archive file. Shutdown will be delayed. * Default: false maxArchiveNestLevel = * Specifies the maximum number of nested levels for an archive file for processing. * If an archive file exceeds the maximum specified nested level, Splunk software ignores the archive file. * Maximum value: 10 * Default: 4 max_mem_usage_mb = * Provides a limitation to the amount of RAM, in megabytes (MB), a batch of events or results will use in the memory of a search process. * Operates on an estimation of memory use which is not exact. The estimation can deviate by an order of magnitude or so to both the smaller and larger sides. * The limitation is applied in an unusual way; if the number of results or events exceeds maxresultrows, AND the estimated memory exceeds this limit, the data is spilled to disk. * This means, as a general rule, lower limits will cause a search to use more disk I/O and less RAM, and be somewhat slower, but should cause the same results to typically come out of the search in the end. * This limit is applied currently to a number, but not all search processors. However, more will likely be added as it proves necessary. * The number is thus effectively a ceiling on batch size for many components of search for all searches run on this system. * When set to "0": Specifies that the size is unbounded. Searches might be allowed to grow to arbitrary sizes. * NOTE: * The mvexpand command uses the ‘max_mem_usage_mb’ value in a different way. * The mvexpand command has no combined logic with ‘maxresultrows’. * If the memory limit is exceeded, output is truncated, not spilled to disk. * The 'stats' and 'sdselect' command processors use the ‘max_mem_usage_mb’ value in the following way. * If the estimated memory usage exceeds the specified limit, the results are cached to the disk. This means that when a large volume of data exceeds the 'max_mem_usage_mb' setting, the search processor doesn't store all the data in memory. Instead, the search processor puts some data into temporary data files on disk, so that it can do further processing on that data later as needed. * If 0 is specified, the results are cached to the disk when the number of results exceeds the ‘maxresultrows’ setting. * The eventstats command processor uses the ‘max_mem_usage_mb’ value in the following way. * Both the ‘max_mem_usage_mb’ and the ‘maxresultrows’ settings are used to determine the maximum number of results to return. If the limit for one setting is reached, the eventstats processor continues to return results until the limit for the other setting is reached. When both limits are reached, the eventstats command processor stops adding the requested fields to the search results. * If you set ‘max_mem_usage_mb’ to 0, the eventstats command processor uses only the ‘maxresultrows’ setting as the threshold. When the number of results exceeds the ‘maxresultrows’ setting, the eventstats command processor stops adding the requested fields to the search results. * Default: 200 min_batch_size_bytes = * Specifies the size, in bytes, of the file/tar after which the file is handled by the batch reader instead of the trailing processor. * Global setting, cannot be configured per input. * NOTE: Configuring this to a very small value could lead to backing up of jobs at the tailing processor. * Default: 20971520 regex_cpu_profiling = * Enable CPU time metrics for RegexProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_regex_cpu, per_source_regex_cpu, per_sourcetype_regex_cpu, per_index_regex_cpu. * Default: true agg_cpu_profiling = * Enable CPU time metrics for AggregatorProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_agg_cpu, per_source_agg_cpu, per_sourcetype_agg_cpu, per_index_agg_cpu. * Default: true msp_cpu_profiling = * Enable CPU time metrics for MetricSchemaProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_msp_cpu, per_source_msp_cpu, per_sourcetype_msp_cpu, per_index_msp_cpu. * Default: true mp_cpu_profiling = * Enable CPU time metrics for MetricsProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_mp_cpu, per_source_mp_cpu, per_sourcetype_mp_cpu, per_index_mp_cpu. * Default: true lb_cpu_profiling = * Enable CPU time metrics for LineBreakingProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_lb_cpu, per_source_lb_cpu, per_sourcetype_lb_cpu, per_index_lb_cpu. * Default: true clb_cpu_profiling = * Enable CPU time metrics for ChunkedLBProcessor. Output will be in the metrics.log file. Entries in metrics.log will appear per_host_clb_cpu, per_source_clb_cpu, per_sourcetype_clb_cpu, per_index_clb_cpu. * Default: false file_and_directory_eliminator_reaper_interval = * Specifies how often, in seconds, to run the FileAndDirectoryEliminator reaping process. * The FileAndDirectoryEliminator eliminates files and directories by moving them to a location that is reaped periodically. This reduces the chance of encountering issues due to files being in use. * On Windows, the FileAndDirectoryEliminator is used by the deployment client to delete apps that have been removed or that are being redeployed. * A value of 0 disables the FileAndDirectoryEliminator. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default (on Windows): 60 * Default (otherwise): 0 interval = * Number of seconds between logging splunkd metrics to metrics.log for different subgroups. * Check metrics.log for the list of configurable "metrics_modules". * Set "interval" under the desired "metrics_module" stanza. * Example: * If you want 60 seconds metrics logging interval for "thruput:thruput", * [thruput:thruput] * interval = 60 * Minimum value is 10 seconds. * Valid value is multiple of 10. * If value is not exact multiple of 10, it will be adjusted to nearest downward multiple. * Recommended value multiple of 30. Splunk will decide how often to check for metrics reporting based on greatest common divisor across different values. If "interval" is set 30, 40 for two different components, then greatest common divisor for 30, 40 and 60(default) is 10. It's expensive for metrics reporting thread to log every 10 sec. If "interval" is set 30, 900 for two different components, then greatest common divisor for 30, 90 and 60(default) is 30. It's less expensive for metrics reporting thread to log every 30 sec. * Default : "interval" config value set under [metrics] stanza. [searchresults] * This stanza controls search results for a variety of Splunk search commands. compression_level = * Compression level to use when writing search results to .csv.gz files. * Default: 1 maxresultrows = * Configures the maximum number of events generated by search commands which grow the size of your result set (such as multikv) or that create events. Other search commands are explicitly controlled in specific stanzas that follow. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 50000 tocsv_maxretry = * Maximum number of times to retry the atomic write operation. * When set to "1": Specifies that there will be no retries. * Default: 5 tocsv_retryperiod_ms = * Period of time to wait before each retry. * Default: 500 * These setting control logging of error messages to the info.csv file. All messages will be logged to the search.log file regardless of these settings. [search_info] * This stanza controls logging of messages to the info.csv file. * Messages logged to the info.csv file are available to REST API clients and Splunk Web. Limiting the messages added to info.csv will mean that these messages will not be available in the UI and/or the REST API. filteredindexes_log_level = [DEBUG|INFO|WARN|ERROR] * Log level of messages when search returns no results because user has no permissions to search on queried indexes. * Default: DEBUG infocsv_log_level = [DEBUG|INFO|WARN|ERROR] * Limits the messages which are added to the info.csv file to the stated level and above. * For example, if "infocsv_log_level" is WARN, messages of type WARN and higher will be added to the info.csv file. * Default: INFO max_infocsv_messages = * Limits the number of messages which are added to the info.csv file, per log level. * If more than max_infocsv_messages log entries are generated, additional entries will not be logged in the info.csv file. All entries will still be logged in the search.log file. * Default: 20 show_warn_on_filtered_indexes = * Log warnings if search returns no results because user has no permissions to search on queried indexes. * Default: false [subsearch] * This stanza controls subsearch results. * Read more about subsearches in the online documentation: http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches maxout = * Maximum number of results to return from a subsearch. * This value cannot be greater than or equal to 10500. * Default: 10000 maxtime = * Maximum number of seconds to run a subsearch before finalizing * Default: 60 ttl = * The time to live (ttl), in seconds, of the cache for the results of a given subsearch. * Do not set this below 120 seconds. * See the definition in the [search] stanza under the "TTL" section for more details on how the ttl is computed. * Default: 300 (5 minutes) subsearch_artifacts_delete_policy = [immediate|ttl] * How subsearch artifacts are deleted after a sub search completes. * Set to `immediate` to have subsearch artifacts remove immediately after a subsearch completes. * Set to 'ttl' to have subsearch artifacts delete after the time-to-live of the subsearch has been reached. * For example, you could use '|noop subsearch_artifacts_delete_policy = [immediate|ttl]' to overwrite the setting for a particular search. * Default: ttl ############################################################################ # SEARCH COMMAND ############################################################################ # This section contains the limitation settings for the search command. # The settings are organized by type of setting. [search] # The settings under the [search] stanza are organized by type of setting. ############################################################################ # Batch search ############################################################################ # This section contains settings for batch search. allow_batch_mode = * Specifies whether or not to allow the use of batch mode which searches in disk based batches in a time insensitive manner. * In distributed search environments, this setting is used on the search head. * Default: true batch_search_max_index_values = * When using batch mode, this limits the number of event entries read from the index file. These entries are small, approximately 72 bytes. However batch mode is more efficient when it can read more entries at one time. * Setting this value to a smaller number can lead to slower search performance. * A balance needs to be struck between more efficient searching in batch mode * and running out of memory on the system with concurrently running searches. * Default: 10000000 batch_search_max_pipeline = * This setting controls the number of search pipelines that are launched on the indexer during batch search. * Increasing the number of search pipelines can improve search performance. However, this can also result in increased thread and memory usage. * This setting applies only to searches that run on remote indexers. * The value for this setting should be >=1. When this setting is >1 on the search head, the setting is applied to all remote indexers. Otherwise, remote indexers use their local 'batch_search_max_pipeline' setting. * You can override this setting on a per-search basis by appending '|noop batch_search_max_pipeline=' to the search string. The should be >1. * Default: 1 batch_search_max_results_aggregator_queue_size = * Controls the size, in bytes, of the search results queue to which all the search pipelines dump the processed search results. * Increasing the size can lead to search performance gains. Decreasing the size can reduce search performance. * Do not specify zero for this setting. * Default: 100000000 batch_search_max_serialized_results_queue_size = * Controls the size, in bytes, of the serialized results queue from which the serialized search results are transmitted. * Increasing the size can lead to search performance gains. Decreasing the size can reduce search performance. * Do not specify zero for this setting. * Default: 100000000 NOTE: The following batch search settings control the periodicity of retries to search peers in the event of failure (Connection errors, and others). The interval exists between failure and first retry, as well as successive retries in the event of further failures. batch_retry_min_interval = * When batch mode attempts to retry the search on a peer that failed, specifies the minimum time, in seconds, to wait to retry the search. * Default: 5 batch_retry_max_interval = * When batch mode attempts to retry the search on a peer that failed, specifies the maximum time, in seconds, to wait to retry the search. * Default: 300 (5 minutes) batch_retry_scaling = * After a batch retry attempt fails, uses this scaling factor to increase the time to wait before trying the search again. * The value should be > 1.0. * Default: 1.5 ############################################################################ # Bundles ############################################################################ # This section contains settings for bundles and bundle replication. load_remote_bundles = * On a search peer, allow remote (search head) bundles to be loaded in splunkd. * Default: false. replication_file_ttl = * The time to live (ttl), in seconds, of bundle replication tarballs, for example: *.bundle files. * Default: 600 (10 minutes) replication_period_sec = * The minimum amount of time, in seconds, between two successive bundle replications. * Default: 60 sync_bundle_replication = [0|1|auto] * Indicates whether configuration file replication blocks searches or is run asynchronously. * When set to "auto": The Splunk software uses asynchronous replication only if all of the peers support asynchronous bundle replication. Otherwise synchronous replication is used. * Default: auto bundle_status_expiry_time = * The amount of time the search head waits before purging the status of a knowledge bundle push request to the indexer. * The status is purged either when it is not queried for a period greater than this setting or when its associated bundle is deleted by the reaper. * The interval can be specified as a string for minutes, seconds, hours, days. For example; 60s, 1m, 1h, 1d etc. * Default: 1h ############################################################################ # Concurrency ############################################################################ # This section contains settings for search concurrency limits. total_search_concurrency_limit = auto | * Specifies the maximum search concurrency limit for a search head cluster or standalone search head. * When set to "auto", the search head cluster or standalone search head calculates the historical search concurrency limit using max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches. * The real-time search concurrency limit is calculated based on the historical search concurrency limit. * When set to an integer, the setting specifies the maximum search concurrency limit. For a search head cluster, the number specifies the maximum search limit across the cluster. For a standalone search head, the number specifies the maximum search limit for the search head. The value must be in the range of 1 to 8192. * Default: auto base_max_searches = * A constant to add to the maximum number of searches, computed as a multiplier of the CPUs. * Default: 6 max_rt_search_multiplier = * A number by which the maximum number of historical searches is multiplied to determine the maximum number of concurrent real-time searches. * NOTE: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches * Default: 1 max_searches_per_cpu = * The maximum number of concurrent historical searches for each CPU. The system-wide limit of historical searches is computed as: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches * NOTE: The maximum number of real-time searches is computed as: max_rt_searches = max_rt_search_multiplier x max_hist_searches * Default: 1 shc_adhoc_quota_enforcement = on | off | overflow * Determines the way in which the cluster enforces limits on the number of concurrent searches. Since concurrent searches include both scheduled and ad hoc searches, this setting effectively determines the enforcement method for admitting new ad hoc searches. * "on" means the ad hoc search admission process is managed cluster-wide by the captain. * "off" means the ad hoc search admission process is managed locally, by each search head that receives an ad hoc search request. * "overflow" means the local search head checks its local capacity first when admitting an ad hoc search. If the search head has capacity (that is, if the search head is below the local limit on number of concurrent searches), it runs the search locally. If the search head has reached its limit on concurrent searches, it defers to the captain for permission to run the search. The captain will check which search head has the capacity, and tell the local search head to proxy the search to the remote search head to run it. * NOTE: Setting it to "on" or "overflow" lets a user run more ad hoc searches than individual cluster member concurrency limits allow. While this can help a user/role with heavier ad hoc search requirements, it can lead to under-counting of the cluster-wide ad hoc search numbers and cause the ad hoc search count to exceed cluster-wide quota limits. Do not change this setting without consulting Splunk Support. * Default: off ############################################################################ # Distributed search ############################################################################ # This section contains settings for distributed search connection # information. addpeer_skew_limit = * Absolute value of the largest time skew, in seconds, that is allowed when configuring a search peer from a search head, independent of time. * If the difference in time (skew) between the search head and the peer is greater than "addpeer_skew_limit", the search peer is not added. * This is only relevant to manually added peers. This setting has no effect on index cluster search peers. * Default: 600 (10 minutes) fetch_remote_search_log = [enabled|disabledSavedSearches|disabled] * When set to "enabled": All remote search logs are downloaded barring the oneshot search. * When set to "disabledSavedSearches": Downloads all remote logs other than saved search logs and oneshot search logs. * When set to "disabled": Irrespective of the search type, all remote search log download functionality is disabled. * NOTE: * The previous Boolean values:[true|false] are still supported, but are not recommended. * The previous value of "true" maps to the current value of "enabled". * The previous value of "false" maps to the current value of "disabled". * You can override this setting on a per-search basis by appending '|noop remote_log_fetch=[*|]' to the search string, where is a list of indexers that contain the remote search logs that you want to collect. * Default: disabledSavedSearches max_chunk_queue_size = * The maximum size of the chunk queue. * default: 10000000 max_combiner_memevents = * Maximum size of the in-memory buffer for the search results combiner. The is the number of events. * Default: 50000 max_tolerable_skew = * Absolute value of the largest time skew, in seconds, that is tolerated between the native clock on the search head and the native clock on the peer (independent of time zone). * If this time skew is exceeded, a warning is logged. This estimate is approximate and tries to account for network delays. * Default: 60 max_workers_searchparser = * The number of worker threads in processing search result when using round robin policy. * default: 5 results_queue_min_size = * The minimum size, of search result chunks, that will be kept from peers for processing on the search head before throttling the rate that data is accepted. * The minimum queue size in chunks is the "results_queue_min_size" value and the number of peers providing results, which ever is greater. * Default: 10 result_queue_max_size = * The maximum size, in bytes, that will be kept from peers for processing on the search head before throttling the rate that data is accepted. * The "results_queue_min_size" value takes precedence. The number of search results chunks specified by "results_queue_min_size" will always be retained in the queue even if the combined size in MB exceeds the "result_queue_max_size" value. * Default: 100 results_queue_read_timeout_sec = * The amount of time, in seconds, to wait when the search executing on the search head has not received new results from any of the peers. * Cannot be less than the 'receiveTimeout' setting in the distsearch.conf file. * Default: 900 batch_wait_after_end = * DEPRECATED: Use the 'results_queue_read_timeout_sec' setting instead. remote_search_requests_throttling_type = disabled | per_cpu | physical_ram * Sets the way remote searches are throttled on remote peers. Search request that is throttled is rejected with 429 HTTP code. * "disabled" simply disables any throttling. * "per_cpu" sets the throttling based on available CPU number. * "physical_ram" sets the throttling based on available system memory. * Multiple, comma-separated, throttling types can be set. For example: 'remote_search_requests_throttling_type = per_cpu, physical_ram' enables both "per_cpu" and "physical_ram". * Does not apply to real-time searches. * Do not use this feature in conjunction with workload management. * Default: disabled remote_search_requests_send_capabilities_list = * When turned on, the search head sends the list of all capabilities of the user running the search to every search peer participating in the search. * This makes it possible to uniformly enforce user-level role-based access control (RBAC). * Default: true remote_search_requests_reject_if_capabilities_list_absent = * When turned on for a search peer, the search peer rejects search requests that do not also specify the full capability list for the user running the search. * The search head sends the full capability list for users running the search when 'send_capabilities_list_to_indexer' is set to true. * Turn this on only if all search heads have already set 'send_capabilities_list_to_indexers' to true. * Default: false ############################################################################ # Field stats ############################################################################ # This section contains settings for field statistics. fieldstats_update_freq = * How often to update the field summary statistics, as a ratio to the elapsed run time so far. * Smaller values means update more frequently. * When set to "0": Specifies to update as frequently as possible. * Default: 0 fieldstats_update_maxperiod = * The maximum period, in seconds, for updating field summary statistics. * When set to "0": Specifies that there is not maximum period. The period is dictated by the calculation: current_run_time x fieldstats_update_freq * Fractional seconds are allowed. * Default: 60 min_freq = * Minimum frequency of a field that is required for the field to be included in the /summary endpoint. * The frequency must be a fraction >=0 and <=1. * Default: 0.01 (1%) ############################################################################ # History ############################################################################ # This section contains settings for search history. enable_history = * Specifies whether to keep a history of the searches that are run. * Default: true max_history_length = * Maximum number of searches to store in history for each user and application. * When 'search_history_storage_mode' has a value of "kvstore", this value is applicable per user only, and not per user and application combination. * Default: 500 max_history_storage_retention_time = [s|m|h|d] * The maximum time to store search history records for each user and application. * This setting and the 'max_history_length' setting determine how many search history records appear in persistent storage. * Search stops storing search history records when either the retention time or the number of search history records exceeds the values you configure with these settings. * A value of 0 means that search only uses 'max_history_length' to retain search history to persistent storage. * The time units you can specify for this setting are: s, sec, second, secs, seconds, m, min, minute, mins, minutes, h, hr, hour, hrs, hours, d, day, days. * This setting is only applicable when 'search_history_storage_mode' has a value of "kvstore". * Default: 90d search_history_storage_mode = * The storage mode by which a search head cluster saves search history. * Valid storage modes include "csv" and "kvstore". * This setting is valid only when the 'enable_history' setting has a value of "true". * A value of "kvstore" means that the cluster can replicate search history across all its members using the App Key Value Store service. * A value of "csv" means that search history is saved to CSV files only on the local search head. * When you initially give this setting a value of "kvstore", the search head migrates the existing search history records, if they are present in existing CSV files, into the App Key Value Store service. This migration of search history can only happen once. If you later change the storage mode to "csv", then back to "kvstore", subsequent migrations do not occur. * NOTE: In the "kvstore" storage mode, the 'max_history_length' is the maximum number of searches that the SHC can store for each user. In this case, the maximum acceptable value of 'max_history_length' cannot exceed 1000. * Default: csv ############################################################################ # Memory tracker ############################################################################ # This section contains settings for the memory tracker. enable_memory_tracker = * Specifies if the memory tracker is enabled. * When set to "false" (disabled): The search is not terminated even if the search exceeds the memory limit. * When set to "true": Enables the memory tracker. * Must be set to "true" to enable the "search_process_memory_usage_threshold" setting or the "search_process_memory_usage_percentage_threshold" setting. * Default: false search_process_memory_usage_threshold = * To use this setting, the "enable_memory_tracker" setting must be set to "true". * Specifies the maximum memory, in MB, that the search process can consume in RAM. * Search processes that violate the threshold are terminated. * If the value is set to 0, then search processes are allowed to grow unbounded in terms of in memory usage. * Default: 4000 (4GB) search_process_memory_usage_percentage_threshold = * To use this setting, the 'enable_memory_tracker' setting must be set to "true". * Specifies the percent of the total memory that the search process is entitled to consume. * Search processes that violate the threshold percentage are terminated. * If the value is set to zero, then splunk search processes are allowed to grow unbounded in terms of percentage memory usage. * Any setting larger than 100 or less than 0 is discarded and the default value is used. * Default: 25% ############################################################################ # Meta search ############################################################################ # This section contains settings for meta search. allow_inexact_metasearch = * Specifies if a metasearch that is inexact be allowed. * When set to "true": An INFO message is added to the inexact metasearches. * When set to "false": A fatal exception occurs at search parsing time. * Default: false indexed_as_exact_metasearch = * Specifies if a metasearch can process = the same as ::, if is an indexed field. * When set to "true": Allows a larger set of metasearches when the 'allow_inexact_metasearch' setting is "false". However, some of the metasearches might be inconsistent with the results of doing a normal search. * Default: false ############################################################################ # Misc ############################################################################ # This section contains miscellaneous search settings. async_quota_update = * When set to 'true', this setting enables a thread that periodically checks the disk quota cache for searches. * Because it moves disk quota checking to an async function, this setting improves search performance. * However, this thread can cause the number of in-process searches to slightly exceed concurrent search quotas. * Set this setting to 'false' if you require strict maintenance of user disk quotas. * Default: false async_quota_update_freq = * The frequency, in seconds, at which the disk quota cache for searches is updated. * Applies only when 'async_quota_update=true'. * Default: 30 use_removable_search_cache = * Determines if the /saved/searches handler will use a cache that lets it emit tags on a list call. * This slightly changes the appearance of the delete option on saved search knowledge objects in Splunk Web, but results in a performance boost. disk_usage_update_period = * Specifies how frequently, in seconds, should the search process estimate the artifact disk usage. * The quota for the amount of disk space that a search job can use is controlled by the 'srchDiskQuota' setting in the authorize.conf file. * Exceeding this quota causes the search to be auto-finalized immediately, even if there are results that have not yet been returned. * Fractional seconds are allowed. * Default: 10 dispatch_dir_warning_size = * Specifies the number of jobs in the dispatch directory that triggers when to issue a bulletin message. The message warns that performance might be impacted. * Default: 5000 do_not_use_summaries = * Do not use this setting without working in tandem with Splunk support. * This setting is a very narrow subset of 'summary_mode=none'. * When set to "true": Disables some functionality that is necessary for report acceleration. * In particular, when set to "true", search processes will no longer query the main splunkd's /admin/summarization endpoint for report acceleration summary IDs. * In certain narrow use-cases this might improve performance if report acceleration (savedsearches.conf:auto_summarize) is not in use, by lowering the main splunkd's process overhead. * Default: false enable_createrss_command = * Enables the deprecated 'createrss' search command. Enabling 'createrss' does not affect the behavior of the 'rss' alert action. * This deprecated command is now disabled by default. * default: false enable_datamodel_meval = * Enable concatenation of successively occurring evals into a single comma-separated eval during the generation of datamodel searches. * default: true enable_file_command = * DEPRECATED. This setting has been deprecated and has no effect. enable_conditional_expansion = * Determines whether or not scoped conditional expansion of knowledge * objects occurs during search string expansion. This only applies on * the search head. * NOTE: Do not change unless instructed to do so by Splunk Support. * Default: true force_saved_search_dispatch_as_user = * Specifies whether to overwrite the "dispatchAs" value. * When set to "true": The "dispatchAs" value is overwritten by "user" regardless of the [user|owner] value in the savedsearches.conf file. * When set to "false": The value in the savedsearches.conf file is used. * You might want to set this to "true" to effectively disable "dispatchAs = owner" for the entire install, if that more closely aligns with security goals. * Default: false get_summary_id_connection_timeout = * The connection timeout, in seconds, for a search to check for available summaries using the admin/summarization REST endpoint. * This setting does not apply if 'do_not_use_summaries' is "true", or if 'summary_mode' is set to "none". * Default: 5 get_summary_id_rcv_timeout = * The timeout, in seconds, for a search to receive data from the admin/summarization REST endpoint when checking for available summaries. * This setting does not apply if 'do_not_use_summaries' is "true", or if 'summary_mode' is set to "none". * Default: 5 get_summary_id_send_timeout = * The timeout, in seconds, for a search to send a query to the admin/summarization REST endpoint when checking for available summaries. * This setting does not apply if 'do_not_use_summaries' is "true", or if 'summary_mode' is set to "none". * Default: 5 max_id_length = * Maximum length of the custom search job ID when spawned by using REST API argument "id". * Default: 150 max_id_length_before_hash = * Specifies the maximum length of a generated or custom search job ID before the Splunk software shortens the directory name. The search job ID itself remains the same. * If set to 0, the Splunk software never hashes the ID. In this case, IDs that are too long cause the search to fail. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 230 search_keepalive_frequency = * Specifies how often, in milliseconds, a keepalive is sent while a search is running. * Default: 30000 (30 seconds) search_keepalive_max = * The maximum number of uninterupted keepalives before the connection is closed. * This counter is reset if the search returns results. * Default: 100 search_retry = * Specifies whether the Splunk software reruns all or elements of a currently running search process when the search process is affected by indexer failures in an indexer clustering environment. * Indexers can fail during rolling restart or indexer upgrade when indexer clustering is enabled. Indexer reboots can also result in failures. * When set to 'true', the Splunk software attempts to rerun search processes that are affected by indexer failures. The Splunk software can rerun entire searches and it can rerun searches from the indexer fail point. Do not set the value to "1" to indicate "true", because some systems might not parse this value correctly. * NOTE: Splunk software performs search reruns on a best effort basis. When you enable this setting it is possible for Splunk software to return partial results for searches without warning. * When set to 'false', search processes stop returning results from specific indexers when those indexers fail, and the Splunk software does not rerun those searches. * Default: false search_retry_max_historical = * Specifies the maximum number of attempts that the Splunk software makes to rerun a historical search as described by 'search_retry'. * This setting is applied only when 'search_retry = true'. * This setting applies only to historical searches. * When the number of attempts exceeds 'search_retry_max_historical', the search fails with an error stating that results are incomplete. * Default: 15 search_retry_waiting_time = * Sets how long, in seconds, 'search_retry' waits to get updated indexer information. * The wait time required for recovery after indexer failure can vary depending on your indexer environment. * Increase this value if your environment needs more recovery time to get updated indexer information. * The value should be >= 1 * Default: 70 stack_size = * The stack size, in bytes, of the thread that executes the search. * Default: 4194304 (4MB) summary_mode = [all|only|none] * Specifies if precomputed summary data are to be used. * When set to "all": Use summary data if possible, otherwise use raw data. * When set to "only": Use summary data if possible, otherwise do not use any data. * When set to "none": Never use precomputed summary data. * Default: all track_indextime_range = * Specifies if the system should track the _indextime range of returned search results. * Default: true use_bloomfilter = * Specifies whether the Splunk software uses Bloom filters to optimize searches. * When set to 'true', the Splunk software consults 'bloomfilter' files that may be present in index buckets to determine whether those buckets contain relevant search terms, thereby enabling the software to skip search of tsidx files that do not have relevant search terms. In this way, Bloom filter usage can improve search performance. * When set to 'false', the Splunk software searches tsidx summary files without filtering out tsidx files that do not have relevant terms. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: true use_metadata_elimination = * Control whether to use metadata to rule out buckets. * Default: true results_serial_format = [csv|srs] * The internal format used for storing serialized results on disk. * Options: * csv: Comma-separated values format * srs: Splunk binary format * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: srs results_compression_algorithm = [gzip|zstd|none] * The compression algorithm used for storing serialized results on disk. * Options: * gzip: gzip * zstd: zstd * none: No compression * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: zstd record_search_telemetry = * Controls whether to record search related metrics in search_telemetry.json in the dispatch dir. It also indexes this file to the _introspection index. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: true search_telemetry_file_limit = * Sets a limit to the number of telemetry files that the Splunk software can copy to the var/run/splunk/search_telemetry/ directory, so that it may index them in the _introspection index. * Once this limit is reached, the Splunk software stops adding telemetry files to the directory for indexing. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 500 search_telemetry_component_limit = * Sets a limit to the size (in bytes) of each of the constituent components in the search telemetry json representation. * Once this limit is reached, the Splunk software will replace the constituent component with a simple value: "trimmed". * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 10000 use_dispatchtmp_dir = * DEPRECATED. This setting has been deprecated and has no effect. auto_cancel_after_pause = * Specifies the amount of time, in seconds, that a search must be paused before the search is automatically cancelled. * If set to 0, a paused search is never automatically cancelled. * Default: 0 always_include_indexedfield_lispy = * Whether or not search always looks for a field that does not have "INDEXED = true" set in fields.conf using both the indexed and non- indexed forms. * If set to "true", when searching for =, the lexicon is searched for both "::" and "". * If set to "false", when searching for =, the lexicon is searched only for "". * Set to "true" if you have fields that are sometimes indexed and sometimes not indexed. * For field names that are always indexed, it is much better for performance to set "INDEXED = true" in fields.conf for that field instead. * Default: true indexed_fields_expansion = * Specifies whether search scopes known indexed fields with the source types that they are known to be indexed with. * When set to 'true', for every field known to be indexed, the Splunk software converts every known field=val statement to field::val, scoped with the applicable sourcetypes. * Default: true max_searchinfo_map_size = * Maximum number of entries in each SearchResultsInfo data structure map that are used to track information about search behavior * Default: 50000 track_matching_sourcetypes = * if true, keeps track of the number of events of each sourcetype that match a search, and store that information in info.csv * Default: true search_launch_timeout_seconds = * The maximum amount of time, in seconds, to wait before a search job is launched successfully. * If a search job does not launch after the timeout interval elapses, the job terminates as a search failure. * If search jobs time out frequently before successfully launching, check whether the server running Splunk software is overloaded. Alternatively, change this setting to a number greater than 180. * For most deployments, 180 seconds is sufficient. * Default: 180 search_startup_config_timeout_ms = * The amount of time allowed in milliseconds to initialize a search job's configuration, including the knowledge bundle. * If initializing the search configuration takes longer than the time allowed by this setting, the 'DISPATCH_RUNNER:SLOW_CONFIG_INITIAL' warning message is displayed in Splunk Web. * This setting is used only to monitor search performance. * Default: 3000 max_audit_sourcetypes = * if track_matching_sourcetypes = true, the matching sourcetypes for a search will be written to the info=completed audit.log message upon completion of the search, up to max_audit_sourcetypes. * If max_audit_sourcetypes is set to 0, sourcetype information will not be added to audit.log. * If the number of matching sourcetypes exceeds the max_audit_sourcetypes setting, the sourcetypes with the greatest number of matching events will be included. * Default: 100 use_search_evaluator_v2 = * If true, search evaluator v2 is used. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: true execute_postprocess_in_search = * If true, try to run postprocess searches ahead of time in the search process instead of the main splunkd process. * Default: true max_fieldmeta_cnt_ui = * The maximum number of field metadata displayed in the /jobs/fieldmeta endpoint. * When viewing the search job status for searches with a large number of field metadata, decreasing this value will reduce the memory load on splunkd mothership, but show less field metadata in the web UI. * Default: 1000 ############################################################################ # Parsing ############################################################################ # This section contains settings related to parsing searches. max_macro_depth = * Maximum recursion depth for macros. Specifies the maximum levels for macro expansion. * It is considered a search exception if macro expansion does not stop after this many levels. * Value must be greater than or equal to 1. * Default: 100 max_subsearch_depth = * Maximum recursion depth for subsearches. Specifies the maximum levels for subsearches. * It is considered a search exception if a subsearch does not stop after this many levels. * Default: 8 min_prefix_len = * The minimum length of a prefix before a wildcard (*) to use in the query to the index. * Default: 1 use_directives = * Specifies whether a search can take directives and interpret them into arguments. * This is used in conjunction with the search optimizer in order to improve search performance. * Default: true ############################################################################ # Phased execution settings ############################################################################ # This section contains settings for multi-phased execution phased_execution = * DEPRECATED: This setting has been deprecated. phased_execution_mode = [multithreaded|auto|singlethreaded] * DEPRECATED: This setting has been deprecated. * Controls whether searches use the multiple-phase method of search execution, which is required for parallel reduce functionality as of Splunk Enterprise 7.1.0. * When set to 'multithreaded' the Splunk platform uses the multiple-phase search execution method. Allows usage of the 'prjob' command and the 'redistribute' command. * When set to 'auto', the Splunk platform uses the multiple-phase search execution method when the 'prjob' command or the 'redistribute' command are used in the search string. If neither the 'prjob' command nor the 'redistribute' command are present in the search string, the single-phase search execution method is used. * When set to 'singlethreaded' the Splunk platform uses the single-threaded search execution method, which does not allow usage of the 'prjob' command or the 'redistribute' command. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: multithreaded ############################################################################ # Preview ############################################################################ # This section contains settings for previews. max_preview_period = * The maximum time, in seconds, between previews. * Used with the preview interval that is calculated with the 'preview_duty_cycle' setting. * When set to "0": Specifies unlimited time between previews. * Default: 0 min_preview_period = * The minimum time, in seconds, required between previews. When the calculated interval using 'preview_duty_cycle' indicates previews should be run frequently. This setting is used to limit the frequency with which previews run. * Default: 1 preview_duty_cycle = * The maximum time to spend generating previews, as a fraction of the total search time. * Must be > 0.0 and < 1.0 * Default: 0.25 preview_freq = or * The minimum amount of time between results preview updates. * You can specify values for this setting in one of two formats: * As a span of time. In this format, you specify an integer and a character that represents a time unit, for example, "10s" means 10 seconds. The preview updates every period of 'preview_freq'. * As a ratio of the amount of time that the search has been running. In this format, you specify a decimal. The preview updates as a ratio of the amount of time that the search has ben running, or as a ratio of the length of the time window for real-time windowed searches. * If you use the ratio format, you must specify a decimal number above 0 and less than 1. * A setting of 0 disables preview_freq, meaning that there are no limits to the minimum time between previews. * NOTE: Change this setting only when instructed to do so by Splunk Support. * Default: 0.05 ############################################################################ # Quota or queued searches ############################################################################ # This section contains settings for quota or queued searches. default_allow_queue = * Unless otherwise specified by using a REST API argument, specifies if an asynchronous job spawning request should be queued on quota violation. If not, an http error of server too busy is returned. * Default: 1 (true) dispatch_quota_retry = * The maximum number of times to retry to dispatch a search when the quota has been reached. * Default: 4 dispatch_quota_sleep_ms = * The time, in milliseconds, between retrying to dispatch a search when a quota is reached. * Retries the given number of times, with each successive wait 2x longer than the previous wait time. * Default: 100 enable_cumulative_quota = * Specifies whether to enforce cumulative role based quotas. * Default: false queued_job_check_freq = * Frequency, in seconds, to check queued jobs to determine if the jobs can be started. * Fractional seconds are allowed. * Default: 1. ############################################################################ # Reading chunk controls ############################################################################ # This section contains settings for reading chunk controls. chunk_multiplier = * A multiplier that the 'max_results_perchunk', 'min_results_perchunk', and 'target_time_perchunk' settings are multiplied by for a long running search. * Default: 5 long_search_threshold = * The time, in seconds, until a search is considered "long running". * Default: 2 max_rawsize_perchunk = * The maximum raw size, in bytes, of results for each call to search (in dispatch). * When set to "0": Specifies that there is no size limit. * This setting is not affected by the 'chunk_multiplier' setting. * Default: 100000000 (100MB) max_results_perchunk = * Maximum results for each call to search (in dispatch). * Must be less than or equal to the 'maxresultrows' setting. * Default: 2500 min_results_perchunk = * The minimum results for each call to search (in dispatch). * Must be less than or equal to the 'max_results_perchunk' setting. * Default: 100 target_time_perchunk = * The target duration, in milliseconds, of a particular call to fetch search results. * Default: 2000 (2 seconds) ############################################################################ # Real-time ############################################################################ # This section contains settings for real-time searches. check_splunkd_period = * Amount of time, in seconds, that determines how frequently the search process (when running a real-time search) checks whether the parent process (splunkd) is running or not. * Fractional seconds are allowed. * Default: 60 (1 minute) realtime_buffer = * Maximum number of accessible events to keep for real-time searches in Splunk Web. * Acts as circular buffer after this buffer limit is reached. * Must be greater than or equal to 1. * Default: 10000 ############################################################################ # Remote storage ############################################################################ # This section contains settings for remote storage. bucket_localize_acquire_lock_timeout_sec = * The maximum amount of time, in seconds, to wait when attempting to acquire a lock for a localized bucket. * When set to 0, waits indefinitely. * This setting is only relevant when using remote storage. * Default: 60 (1 minute) bucket_localize_connect_timeout_max_retries = * The maximum number of times to retry when getting connect timeouts while trying to localize a bucket. * When set to 0, do not retry * This setting is only relevant when using remote storage. * Default: 5 bucket_localize_max_timeout_sec = * The maximum amount of time, in seconds, to spend localizing a bucket stored in remote storage. * If the bucket contents (what is required for the search) cannot be localized in that timeframe, the bucket will not be searched. * When set to "0": Specifies an unlimited amount of time. * This setting is only relevant when using remote storage. * Default: 300 (5 minutes) bucket_localize_status_check_period_ms = * The amount of time, in milliseconds, between consecutive status checks to see if the needed bucket contents required by the search have been localized. * This setting is only relevant when using remote storage. * The minimum and maximum values are 10 and 60000, respectively. If the specified value falls outside this range, it is effectively set to the nearest value within the range. For example, if you set the value to 70000, the effective value will be 60000. * Default: 50 (.05 seconds) bucket_localize_status_check_backoff_start_ms = * When explicitly set, and different from bucket_localize_status_check_period_ms, enables exponential backoff between consecutive status checks for bucket localization. Starting from the specified amount of time, in milliseconds, up to bucket_localize_status_check_period_ms. * This setting is only relevant when using remote storage. * Setting this option is beneficial when bucket contents localize quickly (e.g., in less time than the minimal allowed value for bucket_localize_status_check_period_ms), or with high variability. * The minimum and maximum values are 1 and bucket_localize_status_check_period_ms, respectively. If the specified value falls outside this range, it is effectively set to the nearest value within the range. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 0 (no backoff) bucket_localize_max_lookahead = * Specifies the maximum number of buckets the search command localizes for look-ahead purposes, in addition to the required bucket. * Increasing this value can improve performance, at the cost of additional network/io/disk utilization. * Valid values are 0-64. Any value larger than 64 will be set to 64. Other invalid values will be discarded and the default will be substituted. * This setting is only relevant when using remote storage. * Default: 5 bucket_localize_lookahead_priority_ratio = * A value of N means that lookahead localizations will occur only 1 out of N search localizations, if any. * Default: 5 bucket_predictor = [consec_not_needed|everything] * Specifies which bucket file prediction algorithm to use. * Do not change this unless you know what you are doing. * Default: consec_not_needed ############################################################################ # Results storage ############################################################################ # This section contains settings for storing final search results. max_count = * The number of events that can be accessible in any given status bucket (when status_buckets = 0). * The last accessible event in a call that takes a base and count. * NOTE: This value does not reflect the number of events displayed in the UI after the search is evaluated or computed. * Default: 500000 max_events_per_bucket = * For searches with 'status_buckets>0', this setting limits the number of events retrieved for each timeline bucket. * Default: 1000 in code. status_buckets = * The approximate maximum number buckets to generate and maintain in the timeline. * Default: 0, which means do not generate timeline information read_final_results_from_timeliner = * When you run a search of event data where 'status_buckets > 0', this setting controls the contents of the results.csv.gz and results.srs.zstd files in the search artifact. * When set to "true", the final results saved to disk by the search process on the search head are a sample of events ready from the timeliner. Do not set the value to "1" to indicate "true", because some systems might not parse this value correctly. * When set to "false", the final results saved to disk by the search process on the search head are all events produced by the last SPL command, up to a limit of 'max_count' events. * The 'read_final_results_from_timeliner' setting affects the output of subsequent 'loadjob' searches. * When set to "true" the 'loadjob' search returns the sample of the final results, not the full result set. For example, if the full result set is 10k results, it might return only 1000 results. * When set to "false" the 'loadjob' search returns the full set of search results. For example, if the full result set is 10k results, it returns 10k results. * Default: true field_filters = * Determines whether field filters can be used to protect sensitive data in Splunk platform indexes. * When set to "true": field filters are turned on. * When set to "false": field filters are turned off. * Default: true truncate_report = [1|0] * Specifies whether or not to apply the 'max_count' setting to report output. * Default: 0 (false) write_multifile_results_out = * At the end of the search, if results are in multiple files, write out the multiple files to the results_dir directory, under the search results directory. * This setting speeds up post-processing search, since the results will already be split into appropriate size files. * Default: true ############################################################################ # Search process ############################################################################ # This section contains settings for search process configurations. idle_process_cache_search_count = * The number of searches that the search process must reach, before purging older data from the cache. The purge is performed even if the 'idle_process_cache_timeout' has not been reached. * When a search process is allowed to run more than one search, the search process can cache some data between searches. * When set to a negative value: No purge occurs, no matter how many searches are run. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 8 idle_process_cache_timeout = * The amount of time, in seconds, that a search process must be idle before the system purges some older data from these caches. * When a search process is allowed to run more than one search, the search process can cache some data between searches. * When set to a negative value: No purge occurs, no matter on how long the search process is idle. * When set to "0": Purging always occurs, regardless of whether the process has been idle or not. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 0.5 (seconds) idle_process_regex_cache_hiwater = * A threshold for the number of entries in the regex cache. If the regex cache grows to larger than this number of entries, the systems attempts to purge some of the older entries. * When a search process is allowed to run more than one search, the search process can cache compiled regex artifacts. * Usually the 'idle_process_cache_search_count' and the 'idle_process_cache_timeout' settings keep the regex cache at a reasonable size. This setting prevents the cache from growing extremely large during a single large search. * When set to a negative value: No purge occurs, not matter how large the cache. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 2500 idle_process_reaper_period = auto | * The amount of time, in seconds, between checks to determine if there are too many idle search processes. * When a search process is allowed to run more than one search, the system checks if there are too many idle search processes. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 30 launcher_max_idle_checks = auto | * Specifies the number of idle processes that are inspected before giving up and starting a new search process. * When allowing more than one search to run for each process, the system attempts to find an appropriate idle process to use. * When set to a negative value: Every eligible idle process is inspected. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process is set to "0" or "1". * Default: 5 launcher_threads = * The number of server thread to run to manage the search processes. * Valid only when more than one search is allowed to run for each process. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: -1 (a value is selected automatically) max_idle_process_count = auto | * The maximum number of preforked search processes that are allowed to be idle and reused by later search execution. * The setting is valid if the 'enable_search_process_long_lifespan' setting in the server.conf file is set to "true". Otherwise, it is set to zero when "enable_search_process_long_lifespan = false". * If the total number of idle search processes exceeds this setting, some processes are reaped until the number meets the setting. * Adjust this setting to control how the Splunk server memory is used by idle search processes. The Splunk server can consume more system memory when the number of idle search processes is higher. * When set to "auto": the initial value is set to 64. * When set to "-1" or another negative value: the setting has no limit. * This setting is not applied on computers running Windows or when 'search_process_mode' is not "auto". * Default: auto max_idle_process_memory = auto | * The maximum amount of memory (RSS) in KB used by a search process that is allowed to be idle and reused later after running successfully. * The setting is valid if the 'enable_search_process_long_lifespan' setting in the server.conf file is set to "true". * If the memory used by a search process when it runs exceeds this setting, the process is not reusable. As a result, the process exits after it runs. * Use this setting to prevent a search process from potential OOM issues due to the increase in memory usage after the process has been reused too many times. * When set to "auto": The initial default value is set to "(1024*1024)" KB and subsequently adjusted automatically depending on the amount of system memory that is available to Splunk software. * When set to "-1" or another negative value: The memory size is not limited. * Has no effect on Windows or if “search_process_mode” is not "auto". * Default: auto max_search_process_pool = auto | * The maximum number of search processes that can be launched to run searches in the pool of preforked search processes. * The setting is valid if the 'enable_search_process_long_lifespan' setting in the server.conf file is set to "true". * Use this setting to limit the total number of running search processes on a search head or peer that is prevented from being overloaded or using high system resources (CPU, Memory, etc). * When set to "auto": Splunk server determines the pool size by multiplying the number of CPU cores and the allowed number of search processes (16). The pool size is 64 at minimum. * When set to "-1" or another negative value: The pool size is not limited. * Has no effect on Windows or if “search_process_mode” is not "auto". * Default: 2048 max_old_bundle_idle_time = auto | * The amount of time, in seconds, that a process bundle must be idle before the process bundle is considered for reaping. * Used when reaping idle search processes and the process is not configured with the most recent configuration bundle. * When set to "auto": Splunk software uses the internal default value. If the 'enable_search_process_long_lifespan' setting in the server.conf file is set to "true", the default value is "300". Otherwise, it is "5". * When set to "-1" or negative value: The idle processes are not reaped sooner than normal if the processes are using an older configuration bundle. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 5 max_searches_per_process = * Specifies the maximum number of searches that each search process can run before exiting. * After a search completes, the search process can wait for another search to start and the search process can be reused. * When set to "0" or "1": The process is never reused. * When set to a negative value: There is no limit to the number of searches that a process can run. * Has no effect on Windows if 'search_process_mode' is not set to "auto". * Default: 500 (Linux) * Default: 1 (Windows) max_searches_started_per_cycle = * Specifies the number of new, concurrent searches started by the search launcher in a cycle. * This limits the contention between running searches and new searches, improving search process reuse, and efficiency. * Note: Do not change this setting unless instructed to do so by Splunk Support. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 30 max_time_per_process = auto | * Specifies the maximum time, in seconds, that a process can spend running searches. * When a search process is allowed to run more than one search, limits how much time a process can accumulate running searches before the process must exit. * When set to a negative value: There is no limit on the amount of time a search process can spend running. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * NOTE: A search can run longer than the value set for 'max_time_per_process' without being terminated. This setting ONLY prevents the process from being used to run additional searches after the maximum time is reached. * Default: auto process_max_age = * Specifies the maximum age, in seconds, for a search process. * When a search process is allowed to run more than one search, a process is not reused if the process is older than the value specified. * When set to a negative value: There is no limit on the age of the search process. * This setting includes the time that the process spends idle, which is different than "max_time_per_process" setting. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * NOTE: A search can run longer than the time set for 'process_max_age' without being terminated. This setting ONLY prevents that process from being used to run more searches after the search completes. * Default: 7200 (120 minutes or 2 hours) process_min_age_before_user_change = auto | * The minimum age, in seconds, of an idle process before using a process from a different user. * When a search process is allowed to run more than one search, the system tries to reuse an idle process that last ran a search by the same Splunk user. * If no such idle process exists, the system tries to use an idle process from a different user. The idle process from a different user must be idle for at least the value specified for the 'process_min_age_before_user_change' setting. * When set to "0": Any idle process by any Splunk user can be reused. * When set to a negative value: Only a search process by same Splunk user can be reused. * Has no effect on Windows if 'search_process_mode' is not set to "auto" or if 'max_searches_per_process' is set to "0" or "1". * Default: 4 search_process_mode = [auto|traditional|debug ] * Controls how search processes are started. * When set to "traditional": Each search process is initialized completely from scratch. * When set to "debug": When set to a string beginning with "debug", searches are routed through the , where the user can "plug in" debugging tools. * The must reside in one of the following locations: * $SPLUNK_HOME/etc/system/bin/ * $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/ * $SPLUNK_HOME/bin/scripts/ * The are passed, followed by the search command it would normally run, to * For example, given the following setting: search_process_mode = debug $SPLUNK_HOME/bin/scripts/search-debugger.sh 5 A command similar to the following is run: $SPLUNK_HOME/bin/scripts/search-debugger.sh 5 splunkd search \ --id=... --maxbuckets=... --ttl=... [...] * Default: auto search_process_configure_oom_score_adj = * Determines whether to increase the value of the oom_score (Out of Memory Score) for search processes. * The oom_score is proportional to the amount of memory used by the process, and shows how likely the system is to terminate the process due to low available memory. When memory runs low, the system kills the process with the highest oom_score to free the most memory. * If set to true, when system runs out of memory, the kernel preferentially kills search processes to protect the main splunkd process and make the overall service more stable. * Applies to Linux operating system only. * Default: true. search_process_set_oom_score_adj = * Specifies the value added to the existing oom_score for search processes. * Applies only when 'search_process_configure_oom_score_adj' is set to true. * The higher the value, the more likely the system is to kill search processes before the main splunkd process, decreasing the risk of a Splunk software crash. * Supports integers between 0 and 1000. If set to 0, this setting has no effect on searches. * Generally, the highest oom_score of main splunkd process is less than 700. Thus, by adding the default value, in most cases the system is likely to kill search processes before it kills the main splunkd process. * Default: 700. ############################################################################ # search_messages.log ############################################################################ log_search_messages = * Specifies whether splunkd promotes user-facing search messages from $SPLUNK_HOME/var/run/splunk/dispatch//info.csv to $SPLUNK_HOME/var/log/splunk/search_messages.log. * Splunkd does not promote messages with a severity that is ranked lower than the value of search_messages_severity. * Splunkd promotes messages only after search has been audited. * The search_messages.log file follows this format when it logs messages: orig_component="..." sid="..." peer_name="..." message=... * Default: true search_messages_severity = * When 'log_search_messages = true', this setting specifies the lowest severity of message that splunkd logs to search_messages.log. The processor ignores all messages with a lower severity. * Possible values in ascending order: DEBUG, INFO, WARN, ERROR * For example, when 'search_messages_severity = WARN', splunkd logs only messages with 'WARN' and 'ERROR' severities. * Default: WARN ############################################################################ # Search reuse ############################################################################ # This section contains settings for search reuse. allow_reuse = * Specifies whether to allow normally executed historical searches to be implicitly re-used for newer requests if the newer request allows it. * Default: true reuse_map_maxsize = * Maximum number of jobs to store in the reuse map. * Default: 1000 ############################################################################ # Splunk Analytics for Hadoop ############################################################################ # This section contains settings for use with Splunk Analytics for Hadoop. reduce_duty_cycle = * The maximum time to spend performing the reduce, as a fraction of total search time. * Must be > 0.0 and < 1.0. * Default: 0.25 reduce_freq = * When the specified number of chunks is reached, attempt to reduce the intermediate results. * When set to "0": Specifies that there is never an attempt to reduce the intermediate result. * Default: 10 remote_reduce_limit = * The number of results processed by a streaming search before a reduce is forced. * NOTE: this option applies only if the search is run with --runReduce=true (currently only Splunk Analytics for Hadoop does this) * When set to "0": Specifies that there is no limit. * Default: 1000000 unified_search = * Specifies if unified search is turned on for hunk archiving. * Default: false ############################################################################ # Status ############################################################################ # This section contains settings for search status. status_cache_size = * The number of status data for search jobs that splunkd can cache in RAM. This cache improves performance of the jobs endpoint. * Default: 10000 status_period_ms = * The minimum amount of time, in milliseconds, between successive status/info.csv file updates. * This setting ensures that search does not spend significant time just updating these files. * This is typically important for very large number of search peers. * It could also be important for extremely rapid responses from search peers, when the search peers have very little work to do. * Default: 1000 (1 second) ############################################################################ # Timelines ############################################################################ # This section contains settings for timelines. remote_event_download_finalize_pool = * Size of the pool, in threads, responsible for writing out the full remote events. * Default: 5 remote_event_download_initialize_pool = * Size of the pool, in threads, responsible for initiating the remote event fetch. * Default: 5 remote_event_download_local_pool = * Size of the pool, in threads, responsible for reading full local events. * Default: 5 remote_timeline = * Specifies if the timeline can be computed remotely to enable better map/reduce scalability. * Default: 1 (true) remote_timeline_connection_timeout = * Connection timeout, in seconds, for fetching events processed by remote peer timeliner. * Default: 5. remote_timeline_fetchall = * When set to "1" (true): Splunk fetches all events accessible through the timeline from the remote peers before the job is considered done. * Fetching of all events might delay the finalization of some searches, typically those running in verbose mode from the main Search view in Splunk Web. * This potential performance impact can be mitigated by lowering the 'max_events_per_bucket' settings. * When set to "0" (false): The search peers might not ship all matching events to the search head, particularly if there is a very large number of them. * Skipping the complete fetching of events back to the search head will result in prompt search finalization. * Some events may not be available to browse in the UI. * This setting does NOT affect the accuracy of search results computed by reporting searches. * Default: 1 (true) remote_timeline_max_count = * Maximum number of events to be stored per timeline bucket on each search peer. * Default: 10000 remote_timeline_max_size_mb = * Maximum size of disk, in MB, that remote timeline events should take on each peer. * If the limit is reached, a DEBUG message is emitted and should be visible in the job inspector or in messages. * Default: 100 remote_timeline_min_peers = * Minimum number of search peers for enabling remote computation of timelines. * Default: 1 remote_timeline_parallel_fetch = * Specifies whether to connect to multiple peers at the same time when fetching remote events. * Default: true remote_timeline_prefetch = * Specifies the maximum number of full eventuate that each peer should proactively send at the beginning. * Default: 100 remote_timeline_receive_timeout = * Receive timeout, in seconds, for fetching events processed by remote peer timeliner. * Default: 10 remote_timeline_send_timeout = * Send timeout, in seconds, for fetching events processed by remote peer timeliner. * Default: 10 remote_timeline_thread = * Specifies whether to use a separate thread to read the full events from remote peers if 'remote_timeline' is used and 'remote_timeline_fetchall' is set to "true". Has no effect if 'remote_timeline' or 'remote_timeline_fetchall' is set to "false". * Default: 1 (true) remote_timeline_touchperiod = * How often, in seconds, while a search is running to touch remote timeline artifacts to keep the artifacts from being deleted by the remote peer. * When set to "0": The remote timelines are never touched. * Fractional seconds are allowed. * Default: 300 (5 minutes) timeline_events_preview = * When set to "true": Display events in the Search app as the events are scanned, including events that are in-memory and not yet committed, instead of waiting until all of the events are scanned to see the search results. You will not be able to expand the event information in the event viewer until events are committed. * When set to "false": Events are displayed only after the events are committed (the events are written to the disk). * This setting might increase disk usage to temporarily save uncommitted events while the search is running. Additionally, search performance might be impacted. * Default: false timeline_freq = or * The minimum amount of time, in seconds, between timeline commits. * If specified as a number < 1 (and > 0), minimum time between commits is computed as a ratio of the amount of time that the search has been running. * Default: 0 ############################################################################ # TTL ############################################################################ # This section contains time to live (ttl) settings. cache_ttl = * The length of time, in seconds, to persist search cache entries. * Default: 300 (5 minutes) default_save_ttl = * How long, in seconds, the ttl for a search artifact should be extended in response to the save control action. * When set to 0, the system waits indefinitely. * Default: 604800 (1 week) failed_job_ttl = * How long, in seconds, the search artifacts should be stored on disk after a job has failed. The ttl is computed relative to the modtime of the status.csv file of the job, if the file exists, or the modtime of the artifact directory for the search job. * If a job is being actively viewed in the Splunk UI then the modtime of the status.csv file is constantly updated such that the reaper does not remove the job from underneath. * Default: 86400 (24 hours) remote_ttl = * How long, in seconds, the search artifacts from searches run in behalf of a search head should be stored on the indexer after completion. * Default: 600 (10 minutes) ttl = * How long, in seconds, the search artifacts should be stored on disk after the job completes. The ttl is computed relative to the modtime of the status.csv file of the job, if the file exists, or the modtime of the artifact directory for the search job. * If a job is being actively viewed in the Splunk UI then the modtime of the status.csv file is constantly updated such that the reaper does not remove the job from underneath. * Default: 600 (10 minutes) check_search_marker_done_interval = * The amount of time, in seconds, that elapses between checks of search marker files, such as hot bucket markers and backfill complete markers. * This setting is used to identify when the remote search process on the indexer completes processing all hot bucket and backfill portions of the search. * Default: 60 check_search_marker_sleep_interval = * The amount of time, in seconds, that the process will sleep between subsequent search marker file checks. * This setting is used to put the process into sleep mode periodically on the indexer, then wake up and check whether hot buckets and backfill portions of the search are complete. * Default: 1 srtemp_dir_ttl = * The time to live, in seconds, for the temporary files and directories within the intermediate search results directory tree. * These files and directories are located in $SPLUNK_HOME/var/run/splunk/srtemp. * Every 'srtemp_dir_ttl' seconds, the reaper removes files and directories within this tree to reclaim disk space. * The reaper measures the time to live through the newest file modification time within the directory. * When set to 0, the reaper does not remove any files or directories in this tree. * Default: 86400 (24 hours) ############################################################################ # Unsupported settings ############################################################################ # This section contains settings that are no longer supported. enable_status_cache = * This is not a user tunable setting. Do not use this setting without working in tandem with Splunk personnel. This setting is not tested at non-default. * This controls whether the status cache is used, which caches information about search jobs (and job artifacts) in memory in main splunkd. * Normally this cacheing is enabled and assists performance. However, when using Search Head Pooling, artifacts in the shared storage location will be changed by other search heads, so this cacheing is disabled. * Explicit requests to jobs endpoints , eg /services/search/jobs/ are always satisfied from disk, regardless of this setting. * Default (when search head pooling is not enabled): true * Default (when search head pooling is enabled): false status_cache_in_memory_ttl = * This is not a user tunable setting. Do not use this setting without working in tandem with Splunk personnel. This setting is not tested at non-default. * This setting has no effect unless search head pooling is enabled, AND enable_status_cache has been set to true. * If set, controls the number of milliseconds which a status cache entry may be used before it expires. * Default: 60000 (60 seconds) ############################################################################ # Unused settings ############################################################################ # This section contains settings that have been deprecated. These settings # remain listed in this file for backwards compatibility. max_bucket_bytes = * This setting has been deprecated and has no effect. rr_min_sleep_ms = * REMOVED. This setting is no longer used. rr_max_sleep_ms = * REMOVED. This setting is no longer used. rr_sleep_factor = * REMOVED. This setting is no longer used. ############################################################################ # Distributed search throttling ############################################################################ # This section describes peer-side settings for distributed search throttling. [search_throttling::per_cpu] max_concurrent = * Sets the maximum number of remote searches for each available CPU. The total number of searches for this throttling type is thus calculated as: max_searches = max_concurrent x number_of_cpus * When the calculated value is exceeded, search requests are rejected until the number of concurrent searches falls below the limit. * A value of 0 disables throttling. * This setting is relevant only when used with 'remote_search_requests_throttling_type'. * Default: 12 [search_throttling::physical_ram] min_memory_per_search = [KB|MB|GB] * Sets the minimum memory requirement per search instance. The total number of searches for this throttling type is thus calculated as: max_searches = available_system_memory / min_memory_per_search * When the calculated value is exceeded, search requests are rejected until the number of concurrent searches falls below the limit. * A value of 0 disables throttling. * This setting is relevant only when used with 'remote_search_requests_throttling_type'. * Specify this value as an integer followed by KB, MB, or GB (for example, 10MB is 10 megabytes) * Default: 64MB ############################################################################ # OTHER COMMAND SETTINGS ############################################################################ # This section contains the stanzas for the SPL commands, except for the # search command, which is in separate section. [anomalousvalue] maxresultrows = * Configures the maximum number of events that can be present in memory at one time. * Default: The value set for 'maxresultrows' in the [searchresults] stanza, which is 50000 by default. maxvalues = * Maximum number of distinct values for a field. * Default: 0 maxvaluesize = * Maximum size, in bytes, of any single value (truncated to this size if larger). * Default: 0 [associate] maxfields = * Maximum number of fields to analyze. * Default: 10000 maxvalues = * Maximum number of values for any field to keep track of. * Default: 0 maxvaluesize = * Maximum length of a single value to consider. * Default: 0 [autoregress] maxp = * Maximum number of events for auto regression. * Default: 10000 maxrange = * Maximum magnitude of range for p values when given a range. * Default: 1000 [collect] format_multivalue_collect = * Specifies whether the 'collect' processor should format multivalued fields specially when it collects them into a summary index. * A setting of 'true' means that the 'collect' processor will break each value of a multivalue field out into a discrete key/value pair. * For example, when this setting is 'true' and the 'collect' processor is given the field 'alphabet' with values 'a, b, c', the 'collect' processor adds the following fields to the summary index: alphabet="a", alphabet="b", alphabet="c" * A setting of 'false' means that the 'collect' processor will collect each multivalued field as a single key with values listed and newline-separated. * For example, when this setting is 'false' and the 'collect' processor is given the field 'alphabet' with values 'a, b, c', the 'collect' processor adds the following field to the summary index: alphabet="a b c" * Default: false collect_ignore_minor_breakers = * Specifies whether the 'collect' command adds quotation marks around field values containing major or minor breakers when the command collects those values into a summary index. * A setting of 'true' means that the 'collect' command checks for major breakers in field values, such as spaces, square or curly brackets, parentheses, semicolons, or exclamation points. If 'collect' finds major breakers in a field value, it adds quotation marks to that field value. This enables the use of 'tstats' with the PREFIX() directive on fields that do not contain major breakers. * A setting of 'false' means that the 'collect' command adds quotation marks when it finds either a minor breaker or a major breaker in a field value. * For example, say you have the field-value pair 'user_name = name@spl.com'. In this case both '@' and '.' are minor breakers. * When 'collect_ignore_minor_breakers = true', the 'collect' command does not enclose the value of 'user_name' in quotation marks when it adds the field-value pair to the summary index: user_name = name@spl.com * When 'collect_ignore_minor_breakers = false', the 'collect' command encloses the value of 'user_name' in quotation marks because 'collect' detects that the value contains minor breakers. In this case, this is what 'collect' adds to the summary index: user_name = "name@spl.com" * Default: false [concurrency] max_count = * Maximum number of detected concurrencies. * Default: 10000000 [correlate] maxfields = * Maximum number of fields to correlate. * Default: 1000 [ctable] * This stanza controls settings for the contingency command. * Aliases for the contingency command are: ctable and counttable. maxvalues = * Maximum number of columns/rows to generate (the maximum number of distinct values for the row field and column field). * Default: 1000 [dbinspect] maxresultrows = * The maximum number of result rows that the dbinspect command can fetch at one time. * A smaller value uses less search head memory in scenarios with large number of buckets. However, setting the value too small decreases search performance. * Note: Do not change this setting unless instructed to do so by Splunk Support. * Default: 50000 [discretize] * This stanza contains the settings for the bin command. * Aliases for the bin command are: bucket and discretize. default_time_bins = * When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified. * Default: 100 maxbins = * Maximum number of bins to discretize into. * If 'maxbins' is not specified or = 0, 'maxbins' uses the value set for 'maxresultrows' in the [searchresults] stanza, which is 50000 by default. * Default: 50000 [eval] printf_max_precision = * The maximum usable precision for 'printf' format strings. * Default: 1000000 * NOTE: Do not change this setting unless instructed to do so by Splunk Support. printf_max_width = * The maximum usable width for 'printf' format strings. * Default: 1000000 * NOTE: Do not change this setting unless instructed to do so by Splunk Support. [findkeywords] maxevents = * Maximum number of events used by the findkeywords command and the Patterns tab. * Default: 50000 [geomfilter] enable_clipping = * Whether or not polygons are clipped to the viewport provided by the render client. * Default: true enable_generalization = * Whether or not generalization is applied to polygon boundaries to reduce point count for rendering. * Default: true [geostats] filterstrategy = * Controls the selection strategy on the geoviz map. * Valid values are 1 and 2. maxzoomlevel = * Controls the number of zoom levels that geostats will cluster events on. zl_0_gridcell_latspan = * Controls what is the grid spacing in terms of latitude degrees at the lowest zoom level, which is zoom-level 0. * Grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level. zl_0_gridcell_longspan = * Controls what is the grid spacing in terms of longitude degrees at the lowest zoom level, which is zoom-level 0 * Grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level. [inputcsv] mkdir_max_retries = * Maximum number of retries for creating a tmp directory (with random name as subdir of SPLUNK_HOME/var/run/splunk) * Default: 100 [iplocation] db_path = * The absolute path to the GeoIP database in the MMDB format. * The 'db_path' setting does not support standard Splunk environment variables such as SPLUNK_HOME. * Default: The database that is included with the Splunk platform. [join] subsearch_maxout = * The maximum number of result rows to output from subsearch to join against * The join command subsearch results are restricted by two settings, 'subsearch_maxout' setting in this stanza and 'maxresultrows' setting in the [searchresults] stanza. * Default: 50000 subsearch_maxtime = * Maximum search time, in seconds, before auto-finalization of subsearch. * Default: 60 subsearch_timeout = * Maximum time, in seconds, to wait for subsearch to fully finish. * Default: 120 * DEPRECATED [kmeans] maxdatapoints = * Maximum data points to do kmeans clusterings for. * Default: 100000000 (100 million) maxkrange = * Maximum number of k values to iterate over when specifying a range. * Default: 100 maxkvalue = * Maximum number of clusters to attempt to solve for. * Default: 1000 [lookup] batch_index_query = * Should non-memory file lookups (files that are too large) use batched queries to possibly improve performance? * Default: true batch_response_limit = * When doing batch requests, the maximum number of matches to retrieve. * If more than this limit of matches would otherwise be retrieved, the lookup falls back to non-batch mode matching. * Default: 5000000 max_lookup_messages = * If more than "max_lookup_messages" log entries are generated, additional entries will not be logged in info.csv. All entries will still be logged in search.log. max_matches = * DEPRECATED: Use this setting in transforms.conf for lookup definitions. max_memtable_bytes = * Maximum size, in bytes, of static lookup file to use an in-memory index for. * Lookup files with size above max_memtable_bytes will be indexed on disk * NOTE: This setting also applies to lookup files loaded through the lookup() eval function *which runs at search time*. The same function if called through the ingest-eval functionality, uses ingest_max_memtable_bytes instead. * CAUTION: Setting this to a large value results in loading large lookup files in memory. This leads to a bigger process memory footprint. * Default: 26214400 (25MB) ingest_max_memtable_bytes = * Maximum size, in bytes, of static lookup file to use for a lookup when used in the ingest context. (i.e when used with the lookup() eval function at ingest time). * Lookup files with size above ingest_max_memtable_bytes cannot be used for the lookup() eval function when used with the ingest-eval functionality. * CAUTION: Setting this to a large value results in loading large lookup files in memory. This leads to a bigger process (splunkd) memory footprint. * Default: 10485760 (10MB) ingest_lookup_refresh_period_secs = * Period of time, in seconds, after which the in-memory lookup tables that are used with the lookup() eval function at ingest time are refreshed. * This does not apply if the lookup() function is used at search time. * Default: 60 (1 minute). indexed_csv_ttl = * Specifies the amount of time, in seconds, that a indexed CSV lookup table can exist without update before it is removed by Splunk software. * On a period set by 'indexed_csv_keep_alive_timeout', Splunk software checks the CSV lookup table to see if it has been updated. If it has been updated, Splunk software modifies a special token file. * At the end of the 'indexed_csv_ttl' period Splunk software looks at the token file. If the token file shows that its CSV lookup table has been updated, Splunk software does not delete that CSV lookup table. * Default: 300 indexed_csv_keep_alive_timeout = * Sets the period, in seconds, for an activity check that Splunk software performs on indexed CSV lookup tables. * When Splunk software performs a CSV lookup table check and finds that the table has been updated, it marks this activity on a token file. The token file update prevents the CSV lookup table from being deleted after 'indexed_csv_ttl' seconds of inactivity have passed. * Default: 30 indexed_csv_inprogress_max_timeout = * Sets the maximum time, in seconds, for Splunk software to wait for ongoing indexing of a CSV lookup table to finish before failing any search that is awaiting the lookup table. * Default: 300 max_reverse_matches = * maximum reverse lookup matches (for search expansion) * Default: 50 shared_provider_cache_size = * Sets the cache size in bytes that the Splunk software uses when it shares CSV lookups across multiple lookup commands. * The represents the size of the cache in bytes. This is incremented by the size of each in-memory file (in bytes) inserted into the shared cache. * Set this to 0 to disable lookup sharing, defaults to 200MB (209715200 bytes). * Do not change this value unless you are advised to do so by Splunk Support or a similar authority. * Default: 209715200 input_errors_fatal = * This setting determines whether certain inputlookup or inputcsv command errors cause searches to fail or return a warning message. * When set to true, this setting causes inputlookup and inputcsv errors to make an entire search fail. This happens even when the errors take place in a subsearch. * When set to false, this setting returns a warning message for many inputlookup and inputcsv error conditions. * Certain kinds of errors cause searches to fail no matter how this setting is set. * Default: false enable_splunkd_kv_lookup_indexing = * This setting determines whether KV Store lookup indexing is performed during bundle replication. * When set to true, KVStore lookup indexing occurs on the main splunkd process, asynchronous to searches. * When set to false, KV Store lookup indexing is triggered by the search process, potentially slowing search performance. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: true enforce_auto_lookup_order = * true: LOOKUP-s in props.conf are looked up in ASCII order by . * false: LOOKUP-s in props.conf are looked up in random order. * Default : false [metadata] bucket_localize_max_lookahead = * This setting is only relevant when using remote storage. * Specifies the maximum number of buckets the metadata command localizes for look-ahead purposes, in addition to the required bucket. * Increasing this value can improve performance, at the cost of additional network/io/disk utilization. * Valid values are 0-64. Any value larger than 64 will be set to 64. Other invalid values will be discarded and the default will be substituted. * Default: 10 maxcount = * The total number of metadata search results returned by the search head; after the 'maxcount' is reached, any additional metadata results received from the search peers will be ignored (not returned). * A larger number incurs additional memory usage on the search head. * Default: 100000 maxresultrows = * The maximum number of results in a single chunk fetched by the metadata command * A smaller value will require less memory on the search head in setups with large number of peers and many metadata results, though, setting this too small will decrease the search performance. * NOTE: Do not change this setting unless instructed to do so by Splunk Support. * Default: 10000 [metric_alerts] * This stanza provides global settings for metric alerts. condition_evaluation_interval = * This setting provides the alert condition evaluation interval in minutes. * Must be a number from 1 to 60. * Default: 1 search_delay =