# Version 6.0
#
# This file contains possible attribute/value pairs for configuring limits for search commands.
#
# There is a limits.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place a limits.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
# limits.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles
#
# GLOBAL SETTINGS
# Use the [default] stanza to define any global settings.
# * You can also define global settings outside of any stanza, at the top of the file.
# * Each conf file should have at most one default stanza. If there are multiple default
# stanzas, attributes are combined. In the case of multiple definitions of the same
# attribute, the last definition in the file wins.
# * If an attribute is defined at both the global level and in a specific stanza, the
# value in the specific stanza takes precedence.
# CAUTION: Do not alter the settings in limits.conf unless you know what you are doing.
# Improperly configured limits may result in splunkd crashes and/or memory overuse.
* Each stanza controls different parameters of search commands.
max_mem_usage_mb = <integer>
* Specifies the recommended maximum estimate memory usage by internal data structures that can use disk as backing store if this limit would otherwise be exceeded.
* coordinates with maxresultrows such that what is in memory satisfies at least one of these 2 constraints, except if max_mem_usage_mb is set to 0.
* also acts as a cutoff for memory usage by mvexpand.
* Certainly commands may use multiple such structures in conjuction with large in memory result sets and thus the true maximum search memory usage may be 4-5 times this limit depending on the sequence of commands.
* defaults to 200 (MB)
min_batch_size_bytes = <integer>
* Specifies the size of the file/tar after which the file is handled by the batch reader instead of the trailing processor.
* Global parameter, cannot be configured per input.
* Note configuring this to a very small value could lead to backing up of jobs at the tailing processor.
* defaults to 20 MB
[searchresults]
* 검색 결과에 대한 제한 설정 내용.
* This stanza controls search results for a variety of Splunk search commands.
maxresultrows = <integer>
* 최대 결과 수를 설정.
* 기본이 50,000 임.
* Configures the maximum number of events are generated by search commands which
grow the size of your result set (such as multikv) or that create events. Other search commands are explicitly
controlled in specific stanzas below.
* This limit should not exceed 50000. Setting this limit higher than 50000 causes instability.
* Defaults to 50000.
tocsv_maxretry = <integer>
* Maximum number of times to retry the atomic write operation.
* 1 = no retries.
* Defaults to 5.
tocsv_retryperiod_ms = <integer>
* Period of time to wait before each retry.
* Defaults to 500.
[subsearch]
* 하위 검색에 대한 제한 설정 내용.
* This stanza controls subsearch results.
* NOTE: This stanza DOES NOT control subsearch results when a subsearch is called by
commands such as join, append, or appendcols.
* Read more about subsearches in the online documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsubsearches
maxout = <integer>
* 하위 검색 결과의 최대 값 설정.
* 기본이 10,000개의 결과 임.
* Maximum number of results to return from a subsearch.
* This value cannot be greater than or equal to 10500.
* Defaults to 10000.
maxtime = <integer>
* 하위 검색에 대한 검색 시간 제한 설정.
* 기본이 60 sec.이며, 하위 검색이 60 sec. 에서 검색이 종료되고, 그에 대한 결과가 반환 됨.
* Maximum number of seconds to run a subsearch before finalizing
* Defaults to 60.
ttl = <integer>
* Time to cache a given subsearch's results, in seconds.
* Do not set this below 120 seconds.
* See definition in [search] ttl for more details on how the ttl is computed
* Defaults to 300.
[anomalousvalue]
maxresultrows = <integer>
* Configures the maximum number of events that can be present in memory at one time.
* Defaults to searchresults::maxresultsrows (which is by default 50000).
maxvalues = <integer>
* Maximum number of distinct values for a field.
* Defaults to 100000.
maxvaluesize = <integer>
* Maximum size in bytes of any single value (truncated to this size if larger).
* Defaults to 1000.
[associate]
maxfields = <integer>
* Maximum number of fields to analyze.
* Defaults to 10000.
maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 10000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[autoregress]
maxp = <integer>
* Maximum valid period for auto regression
* Defaults to 10000.
maxrange = <integer>
* Maximum magnitude of range for p values when given a range.
* Defaults to 1000.
[concurrency]
max_count = <integer>
* Maximum number of detected concurrencies.
* Defaults to 10000000
[ctable]
* This stanza controls the contingency, ctable, and counttable commands.
maxvalues = <integer>
* Maximum number of columns/rows to generate (the maximum number of distinct values for the row field and
column field).
* Defaults to 1000.
[correlate]
maxfields = <integer>
* Maximum number of fields to correlate.
* Defaults to 1000.
[discretize]
* This stanza set attributes for bin/bucket/discretize.
default_time_bins = <integer>
* When discretizing time for timechart or explicitly via bin, the default bins to use if no span or bins is specified.
* Defaults to 100
maxbins = <integer>
* Maximum number of buckets to discretize into.
* If maxbins is not specified or = 0, it defaults to searchresults::maxresultrows (which is by default 50000).
[export]
add_timestamp = <bool>
* Add a epoch time timestamp to JSON streaming output that reflects the time the results were generated/retrieved
* Defaults to false
add_offset = <bool>
* Add an offset/row number to JSON streaming output
* Defaults to true
[extern]
perf_warn_limit = <integer>
* Warn when external scripted command is applied to more than this many events
* set to 0 for no message (message is always INFO level)
* Defaults to 10000
[inputcsv]
mkdir_max_retries = <integer>
* Maximum number of retries for creating a tmp directory (with random name as subdir of SPLUNK_HOME/var/run/splunk)
* Defaults to 100.
[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)
max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Defaults to 2500
soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Defaults to 100
[join]
subsearch_maxout = <integer>
* Maximum result rows in output from subsearch to join against.
* Defaults to 50000
subsearch_maxtime = <integer>
* Maximum search time (in seconds) before auto-finalization of subsearch.
* Defaults to 60
subsearch_timeout = <integer>
* Maximum time to wait for subsearch to fully finish (in seconds).
* Defaults to 120
[kmeans]
maxdatapoints = <integer>
* Maximum data points to do kmeans clusterings for.
* Defaults to 100000000
maxkvalue = <integer>
* Maximum number of clusters to attempt to solve for.
* Defaults to 1000
maxkrange = <integer>
* Maximum number of k values to iterate over when specifying a range.
* Defaults to 100
[kv]
maxcols = <integer>
* When non-zero, the point at which kv should stop creating new fields.
* Defaults to 512.
limit = <integer>
* Maximum number of keys auto kv can generate.
* Defaults to 50.
maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.
max_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to
* take before warning. If the extractor exceeds this execution time on any event a warning will be issued
* Defaults to 1000
avg_extractor_time = <integer>
* Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of
* a key-value pair extractor will be allowed to take before warning. Once the average becomes larger
* than this amount of time a warning will be issued
* Defaults to 500
[lookup]
max_memtable_bytes = <integer>
* Maximum size of static lookup file to use an in-memory index for.
* Defaults to 10000000 in bytes (10MB
max_matches = <integer>
* maximum matches for a lookup
* range 1 - 1000
* Defaults to 1000
max_reverse_matches = <integer>
* maximum reverse lookup matches (for search expansion)
* Defaults to 50
batch_index_query = <bool>
* Should non-memory file lookups (files that are too large) use batched queries to possibly improve performance?
* Defaults to true
batch_response_limit = <integer>
* When doing batch requests, the maximum number of matches to retrieve
* if more than this limit of matches would otherwise be retrieve, we will fall back to non-batch mode matching
* Defaults to 5000000
[metrics]
maxseries = <integer>
* The number of series to include in the per_x_thruput reports in metrics.log.
* Defaults to 10.
interval = <integer>
* Number of seconds between logging splunkd metrics to metrics.log.
* Minimum of 10.
* Defaults to 30.
[rare]
maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).
maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults 100000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[restapi]
maxresultrows = <integer>
* Maximum result rows to be returned by /events or /results getters from REST API.
* Defaults to 50000.
time_format_reject = <regular expression>
* HTTP parameters for time_format and output_time_format which match
this regex will be rejected (blacklisted).
* The regex will be satisfied by a substring match anywhere in the paramater.
* Intended as defense-in-depth against XSS style attacks against browser users
by crafting specially encoded URLS for them to access splunkd.
* If unset, all parameter strings will be accepted.
* To disable this check entirely, set the value to empty.
# Example of disabling: time_format_reject =
* Defaults to [<>!] , which means that the less-than '<', greater-than '>', and
exclaimation point '!' are not allowed.
jobscontentmaxcount = <integer>
* Maximum length of a property in the contents dictionary of an entry from /jobs getter from REST API
* Value of 0 disables truncation
* Defaults to 0
[search]
* 검색에 대한 제한 설정.
summary_mode = [all|only|none]
* Controls if precomputed summary are to be used if possible?
* all: use summary if possible, otherwise use raw data
* only: use summary if possible, otherwise do not use any data
* none: never use precomputed summary data
* Defaults to 'all'
use_bloomfilter = <bool>
* Control whether to use bloom filters to rule out buckets
max_id_length = <integer>
* Maximum length of custom search job id when spawned via REST api arg id=
ttl = <integer>
* How long search artifacts should be stored on disk once completed, in seconds. The ttl is computed
* relative to the modtime of status.csv of the job if such file exists or the modtime of the search
* job's artifact directory. If a job is being actively viewed in the Splunk UI then the modtime of
* status.csv is constantly updated such that the reaper does not remove the job from underneath.
* Defaults to 600, which is equivalent to 10 minutes.
default_save_ttl = <integer>
* How long the ttl for a search artifact should be extended in response to the save control action, in second. 0 = indefinitely.
* Defaults to 604800 (1 week)
remote_ttl = <integer>
* How long artifacts from searches run in behalf of a search head should be stored on the indexer
after completion, in seconds.
* Defaults to 600 (10 minutes)
status_buckets = <integer>
* The approximate maximum number buckets to generate and maintain in the timeline.
* Defaults to 0, which means do not generate timeline information.
max_bucket_bytes = <integer>
* This setting has been deprecated and has no effect
max_count = <integer>
* The number of events that can be accessible in any given status bucket.
* The last accessible event in a call that takes a base and bounds.
* Defaults to 10000.
max_events_per_bucket = <integer>
* For searches with status_buckets>0 this will limit the number of events retrieved per timeline bucket.
* Defaults to 1000 in code.
truncate_report = [1|0]
* Specifies whether or not to apply the max_count limit to report output.
* Defaults to false (0).
min_prefix_len = <integer>
* The minimum length of a prefix before a * to ask the index about.
* Defaults to 1.
cache_ttl = <integer>
* The length of time to persist search cache entries (in seconds).
* Defaults to 300.
max_results_perchunk = <integer>
* Maximum results per call to search (in dispatch), must be less than or equal to maxresultrows.
* Defaults to 2500
min_results_perchunk = <integer>
* Minimum results per call to search (in dispatch), must be less than or equal to max_results_perchunk.
* Defaults to 100
max_rawsize_perchunk = <integer>
* Maximum raw size of results per call to search (in dispatch).
* 0 = no limit.
* Defaults to 100000000 (100MB)
* Not affected by chunk_multiplier
target_time_perchunk = <integer>
* Target duration of a particular call to fetch search results in ms.
* Defaults to 2000
long_search_threshold = <integer>
* Time in seconds until a search is considered "long running".
* Defaults to 2
chunk_multiplier = <integer>
* max_results_perchunk, min_results_perchunk, and target_time_perchunk are multiplied by this
for a long running search.
* Defaults to 5
min_freq = <number>
* Minimum frequency of a field required for including in the /summary endpoint as a fraction (>=0 and <=1).
* Defaults is 0.01 (1%)
reduce_freq = <integer>
* Attempt to reduce intermediate results every how many chunks (0 = never).
* Defaults to 10
reduce_duty_cycle = <number>
* the maximum time to spend doing reduce, as a fraction of total search time
* Must be > 0.0 and < 1.0
* Defaults to 0.25
preview_duty_cycle = <number>
* the maximum time to spend generating previews, as a fraction of total search time
* Must be > 0.0 and < 1.0
* Defaults to 0.25
dispatch_quota_retry = <integer>
* The maximum number of times to retry to dispatch a search when the quota has been reached.
* Defaults to 4
dispatch_quota_sleep_ms = <integer>
* Milliseconds between retrying to dispatch a search if a quota has been reached.
* Retries the given number of times, with each successive wait 2x longer than the previous.
* Defaults to 100
base_max_searches = <int>
* 기본 최대 검색 수 설정.
* A constant to add to the maximum number of searches, computed as a multiplier of the CPUs.
* Defaults to 6
max_searches_per_cpu = <int>
* CPU당 최대 검색 수 설정.
* The maximum number of concurrent historical searches per CPU. The system-wide limit of
historical searches is computed as:
max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches
* Note: the maximum number of real-time searches is computed as:
max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 1
max_rt_search_multiplier = <decimal number>
* A number by which the maximum number of historical searches is multiplied to determine the maximum
* number of concurrent real-time searches
* Note: the maximum number of real-time searches is computed as:
max_rt_searches = max_rt_search_multiplier x max_hist_searches
* Defaults to 1
max_macro_depth = <int>
* Max recursion depth for macros.
* Considered a search exception if macro expansion doesn't stop after this many levels.
* Must be greater than or equal to 1.
* Default is 100
realtime_buffer = <int>
* Maximum number of accessible events to keep for real-time searches from Splunk Web.
* Acts as circular buffer once this limit is reached
* Must be greater than or equal to 1
* Default is 10000
stack_size = <int>
* The stack size (in bytes) of the thread executing the search.
* Defaults to 4194304 (4 MB)
status_cache_size = <int>
* The number of search job status data splunkd can cache in RAM. This cache improves performance of
the jobs endpoint
* Defaults to 2000
timeline_freq = <timespan> or <ratio>
* Minimum amount of time between timeline commits.
* If specified as a number < 1 (and > 0), minimum time between commits is computed as a ratio of
the amount of time that the search has been running.
* defaults to 0 seconds
preview_freq = <timespan> or <ratio>
* Minimum amount of time between results preview updates.
* If specified as a number < 1 (and > 0), minimum time between previews is computed as a ratio of
the amount of time that the search has been running, or as a ratio of the length of the time window
for real-time windowed searches.
* Defaults to ratio of 0.05
max_combiner_memevents = <int>
* Maximum size of in-memory buffer for search results combiner, in terms of number of events.
* Defaults to 50000 events.
replication_period_sec = <int>
* The minimum amount of time in seconds between two successive bundle replications.
* Defaults to 60
replication_file_ttl = <int>
* The TTL (in seconds) of bundle replication tarballs, i.e. *.bundle files.
* Defaults to 600 (10m)
sync_bundle_replication = [0|1|auto]
* Flag indicating whether configuration file replication blocks searches or is run asynchronously
* When setting this flag to auto Splunk will choose to use asynchronous replication iff all the peers
* support async bundle replication, otherwise it will fallback into sync replication.
* Defaults to auto
multi_threaded_setup = [0|1]
* 멀티 스레드 설정.
* 분산 검색에 대해서 적용 가능.
* Flag indicating whether to use multiple threads when setting up distributed search to multiple peers.
* Defaults to false (0)
rr_min_sleep_ms = <int>
* Minimum time to sleep when reading results in round-robin mode when no data is available.
* Defaults to 10.
rr_max_sleep_ms = <int>
* Maximum time to sleep when reading results in round-robin mode when no data is available.
* Defaults to 1000
rr_sleep_factor = <int>
* If no data is available even after sleeping, increase the next sleep interval by this factor.
* defaults to 2
fieldstats_update_freq = <number>
* How often to update the field summary statistics, as a ratio to the elapsed run time so far.
* Smaller values means update more frequently. 0 means as frequently as possible.
* Defaults to 0
fieldstats_update_maxperiod = <int>
* Maximum period for updating field summary statistics in seconds
* 0 means no maximum, completely dictated by current_run_time * fieldstats_update_freq
* defaults to 60
remote_timeline = [0|1]
* If true, allows the timeline to be computed remotely to enable better map/reduce scalability.
* defaults to true (1).
remote_timeline_prefetch = <int>
* Each peer should proactively send at most this many full events at the beginning
* Defaults to 100.
remote_timeline_parallel_fetch = <bool>
* Connect to multiple peers at the same time when fetching remote events?
* Defaults to true
remote_timeline_min_peers = <int>
* Minimum search peers for enabling remote computation of timelines.
* Defaults to 1 (1).
remote_timeline_fetchall = [0|1]
* If true, fetches all events accessible through the timeline from the remote peers before the job is
considered done.
* Defaults to true (1).
remote_timeline_thread = [0|1]
* If true, uses a separate thread to read the full events from remote peers if remote_timeline is used
and remote_timeline_fetchall is set to true. (Has no effect if remote_timeline or remote_timeline_fetchall is
false).
* Defaults to true (1).
remote_timeline_max_count = <int>
* Maximum number of events to be stored per timeline bucket on each search peer,
* Defaults to 10000
remote_timeline_max_size_mb = <int>
* Maximum size of disk that remote timeline events should take on each peer
* If limit is reached, a DEBUG message is emitted (and should be visible from job inspector/messages
* Defaults to 100
remote_timeline_touchperiod = <int>
* How often to touch remote timeline artifacts to keep them from being deleted by the remote peer, while a
search is running.
* In seconds, 0 means never.
* Defaults to 300.
remote_timeline_connection_timeout = <int>
* Connection timeout in seconds for fetching events processed by remote peer timeliner.
* Defaults to 5.
remote_timeline_send_timeout = <int>
* Send timeout in seconds for fetching events processed by remote peer timeliner.
* Defaults to 10.
remote_timeline_receive_timeout = <int>
* Receive timeout in seconds for fetching events processed by remote peer timeliner.
* Defaults to 10.
default_allow_queue = [0|1]
* Unless otherwise specified via REST api argument should an async job spawning request be queued on quota
violation (if not, an http error of server too busy is returned)
* Defaults to true (1).
queued_job_check_freq = <int>
* Frequency with which to check queued jobs to see if they can be started, in seconds
* Defaults to 1.
enable_history = <bool>
* Enable keeping track of searches?
* Defaults to true
max_history_length = <int>
* Max number of searches to store in history (per user/app)
* Defaults to 1000
allow_inexact_metasearch = <bool>
* Should a metasearch that is inexact be allow. If so, an INFO message will be added to the inexact metasearches. If not, a fatal exception will occur at search parsing time.
* Defaults to false
indexed_as_exact_metasearch = <bool>
* Should we allow a metasearch to treat <field>=<value> the same as <field>::<value> if <field> is an indexed field. Allowing this will allow a larger set of metasearches when allow_inexact_metasearch is set to false. However, some of these searches may be inconsistent with the results of doing a normal search.
* Defaults to false
dispatch_dir_warning_size = <int>
* The number of jobs in the dispatch directory when to issue a bulletin message warning that performance could be impacted
* Defaults to 2000
allow_reuse = <bool>
* Allow normally executed historical searches to be implicitly re-used for newer requests if the newer request allows it?
* Defaults to true
track_indextime_range = <bool>
* Track the _indextime range of returned search results?
* Defaults to true
reuse_map_maxsize = <int>
* Maximum number of jobs to store in the reuse map
* Defaults to 1000
status_period_ms = <int>
* The minimum amout of time, in milliseconds, between successive status/info.csv file updates
* This ensures search does not spend significant time just updating these files.
* This is typically important for very large number of search peers.
* It could also be important for extremely rapid responses from search peers,
when the search peers have very little work to do.
* Defaults to 1000 (1 second)
search_process_mode = auto | traditional | debug <debugging-command> [debugging-args ...]
* Control how search processes are started
* When set to "traditional", Splunk initializes each search process completely from scratch
* When set to a string beginning with "debug", Splunk routes searches through the given command, allowing the user the to "plug in" debugging tools
* The <debugging-command> must reside in one of
* $SPLUNK_HOME/etc/system/bin/
* $SPLUNK_HOME/etc/apps/$YOUR_APP/bin/
* $SPLUNK_HOME/bin/scripts/
* Splunk will pass <debugging-args>, followed by the search command it would normally run, to <debugging-command>
* For example, given:
search_process_mode = debug $SPLUNK_HOME/bin/scripts/search-debugger.sh 5
Splunk will run a command that looks generally like:
$SPLUNK_HOME/bin/scripts/search-debugger.sh 5 splunkd search --id=... --maxbuckets=... --ttl=... [...]
* Defaults to "auto"
fetch_remote_search_log = <bool>
* If true, will attempt to fetch the search.log from every search peer at the end of the search and store in the job dispatch dir on the search head.
* Defaults to true
load_remote_bundles = <bool>
* On a search peer, allow remote (search head) bundles to be loaded in splunkd.
* Defaults to false.
use_dispatchtmp_dir = <bool>
* Whether to use the dispatchtmp directory for temporary search time files (write temporary files to a different directory from a job's dispatch directory).
* Temp files would be written to $SPLUNK_HOME/var/run/splunk/dispatchtmp/<sid>/
* In search head pooling performance can be improved by mounting disaptchtmp to the
* local file system.
* Defaults to true if search head pooling is enabled, false otherwise
check_splunkd_period = <int>
* Amount of time, in seconds, that determines how frequently the search process
* (when running a real-time search) checks whether it's parent process (splunkd) is running or not.
* Defaults to 60
allow_batch_mode = <bool>
* Whether or not to allow the use of batch mode which searching in disk based batches in a time insensative manner.
* Defaults to false
batch_search_max_index_values = <int>
* When using batch mode this limits the number of event entries read from the index file. These entries are small
* approximately 72 bytes. However batch mode is more efficient when it can read more entries at once.
* Setting this value to a smaller number can lead to slower search performance. A balance needs to be struck
* between more efficient searching in batch mode and running out of memory on the system with concurrently running searches.
* Defaults to 10000000
* These settings control the periodicity of retries to search peers in the event of failure. (Connection
* errors, and others.) The interval exists between failure and first retry, as well as successive
* retries in the event of further failures.
batch_retry_min_interval = <int>
* When batch mode attempts to retry the search on a peer that failed wait at least this many seconds
* Default to 5
batch_retry_max_interval = <int>
* When batch mode attempts to retry the search on a peer that failed wait at most this many seconds
* Default to 300
batch_retry_scaling = <double>
* After a retry attempt fails increase the time to wait before trying again by this scaling factor (Value should be > 1.0)
* Default 1.5
batch_wait_after_end = <int>
* Batch mode considers the search ended(finished) when all peers without communication failure
* have expicitly indicated that they are complete; eg have delivered the complete answer.
* After the search is at an end, batch mode will continue to retry with lost-connection peers
* for this many seconds.
* Default 900
write_multifile_results_out = <bool>
* at the end of the search if results are in multiple files, write out the multiple
* files to results_dir directory, under the search results directory.
* This will speed up post-processing search, since the results will already be
* split into appropriate size files.
* Default true
enable_cumulative_quota = <bool>
* whether to enforce cumulative role based quotas
* Default false
[realtime]
# Default options for indexer support of real-time searches
# These can all be overriden for a single search via REST API arguments
local_connect_timeout = <int>
* Connection timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)
* Defaults to 5
local_send_timeout = <int>
* Send timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)
* Defaults to 5
local_receive_timeout = <int>
* Receive timeout for an indexer's search process when connecting to that indexer's splunkd (in seconds)
* Defaults to 5
queue_size = <int>
* Size of queue for each real-time search (must be >0).
* Defaults to 10000
blocking = [0|1]
* Specifies whether the indexer should block if a queue is full.
* Defaults to false
max_blocking_secs = <int>
* Maximum time to block if the queue is full (meaningless if blocking = false)
* 0 means no limit
* Default to 60
indexfilter = [0|1]
* Specifies whether the indexer should prefilter events for efficiency.
* Defaults to true (1).
default_backfill = <bool>
* Specifies if windowed real-time searches should backfill events
* Defaults to true
enforce_time_order = <bool>
* Specifies if real-time searches should ensure that events are sorted in ascending time order (the UI will automatically reverse the order that it display events for real-time searches so in effect the latest events will be first)
* Defaults to true
disk_usage_update_period = <int>
* Specifies how frequently (in seconds) should the search process estimate the artifact disk usage.
* Defaults to 10
indexed_realtime_use_by_default = <bool>
* Should we use the indexedRealtime mode by default
* Precedence: SearchHead
* Defaults to false
indexed_realtime_disk_sync_delay = <int>
* After indexing there is a non-deterministic period where the files on disk when opened by other
* programs might not reflect the latest flush to disk, particularly when a system is under heavy load.
* This settings controls the number of seconds to wait for disk flushes to finish when using
* indexed/continuous/psuedo realtime search so that we see all of the data.
* Precedence: SearchHead overrides Indexers
* Defaults to 60
indexed_realtime_default_span = <int>
* An indexed realtime search is made up of many component historical searches that by default will
* span this many seconds. If a component search is not completed in this many seconds the next
* historical search will span the extra seconds. To reduce the overhead of running an indexed realtime
* search you can change this span to delay longer before starting the next component historical search.
* Precendence: Indexers
* Defaults to 1
indexed_realtime_maximum_span = <int>
* While running an indexed realtime search, if the component searches regularly take longer than
* indexed_realtime_default_span seconds, then indexed realtime search can fall more than
* indexed_realtime_disk_sync_delay seconds behind realtime. Use this setting to set a limit
* afterwhich we will drop data to return back to catch back up to the specified delay from
* realtime, and only search the default span of seconds.
* Precedence: API overrides SearchHead overrides Indexers
* Defaults to 0 (unlimited)
indexed_realtime_cluster_update_interval = <int>
* While running an indexed realtime search, if we are on a cluster we need to update the list
* of allowed primary buckets. This controls the interval that we do this. And it must be less
* than the indexed_realtime_disk_sync_delay. If your buckets transition from Brand New to warm
* in less than this time indexed realtime will lose data in a clustered environment.
* Precendence: Indexers
* Default: 30
[slc]
maxclusters = <integer>
* Maximum number of clusters to create.
* Defaults to 10000.
[sort]
maxfiles = <integer>
* Maximum files to open at once. Multiple passes are made if the number of result chunks
exceeds this threshold.
* Defaults to 64.
[stats|sistats]
maxmem_check_freq = <integer>
* How frequently to check to see if we are exceeding the in memory data structure size limit as specified by max_mem_usage_mb, in rows
* Defaults to 50000 rows
maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (which is by default 50000).
maxvalues = <integer>
* Maximum number of values for any field to keep track of.
* Defaults to 0 (unlimited).
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 0 (unlimited).
# rdigest is a data structure used to compute approximate order statistics (such as median and percentiles)
# using sublinear space.
rdigest_k = <integer>
* rdigest compression factor
* Lower values mean more compression
* After compression, number of nodes guaranteed to be greater than or equal to 11 times k.
* Defaults to 100, must be greater than or equal to 2
rdigest_maxnodes = <integer>
* Maximum rdigest nodes before automatic compression is triggered.
* Defaults to 1, meaning automatically configure based on k value
max_stream_window = <integer>
* For streamstats command, the maximum allow window size
* Defaults to 10000.
max_valuemap_bytes = <integer>
* For sistats command, the maximum encoded length of the valuemap, per result written out
* If limit is exceeded, extra result rows are written out as needed. (0 = no limit per row)
* Defaults to 100000.
perc_method = nearest-rank|interpolated
* Which method to use for computing percentiles (and medians=50 percentile).
* nearest-rank picks the number with 0-based rank R = floor((percentile/100)*count)
* interpolated means given F = (percentile/100)*(count-1), pick ranks R1 = floor(F) and R2 = ceiling(F). Answer = (R2 * (F - R1)) + (R1 * (1 - (F - R1)))
* See wikipedia percentile entries on nearest rank and "alternative methods"
* Defaults to interpolated
approx_dc_threshold = <integer>
* When using approximate distinct count (i.e. estdc(<field>) in stats/chart/timechart), do not use approximated results if the actual number of distinct values is less than this number
* Defaults to 1000
dc_digest_bits = <integer>
* 2^<integer> bytes will be size of digest used for approximating distinct count.
* Defaults to 10 (equivalent to 1KB)
* Must be >= 8 (128B) and <= 16 (64KB)
natural_sort_output = <bool>
* Do a natural sort on the output of stats if output size is <= maxresultrows
* Natural sort means that we sort numbers numerically and non-numbers lexicographically
* Defaults to true
list_maxsize = <int>
* Maximum number of list items to emit when using the list() function stats/sistats
* Defaults to 100
sparkline_maxsize = <int>
* Maximum number of elements to emit for a sparkline
* Defaults to value of list_maxsize setting
default_partitions = <int>
* Number of partitions to split incoming data into for parallel/multithreaded reduce
* Defaults to 1
partitions_limit = <int>
* Maximum number of partitions to split into that can be specified via the 'partitions' option.
* When exceeded, the number of partitions is reduced to this limit.
* Defaults to 100
[thruput]
maxKBps = <integer>
* If specified and not zero, this limits the speed through the thruput processor to the specified
rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of events this indexer
processes to the rate (in KBps) you specify.
[journal_compression]
threads = <integer>
* Specifies the maximum number of indexer threads which will be work on compressing hot bucket journal data.
* Defaults to the number of CPU threads of the host machine
* This setting does not typically need to be modified.
[top]
maxresultrows = <integer>
* Maximum number of result rows to create.
* If not specified, defaults to searchresults::maxresultrows (usually 50000).
maxvalues = <integer>
* Maximum number of distinct field vector values to keep track of.
* Defaults to 100000.
maxvaluesize = <integer>
* Maximum length of a single value to consider.
* Defaults to 1000.
[summarize]
hot_bucket_min_new_events = <integer>
* The minimum number of new events that need to be added to the hot bucket (since last summarization)
* before a new summarization can take place. To disable hot bucket summarization set this value to a
* large positive number.
* Defaults to 100000
sleep_seconds = <integer>
* The amount of time to sleep between polling of summarization complete status.
* Default to 5
stale_lock_seconds = <integer>
* The amount of time to have elapse since the mod time of a .lock file before summarization considers
* that lock file stale and removes it
* Default to 600
max_summary_ratio = <float>
* A number in the [0-1) range that indicates the maximum ratio of summary data / bucket size at which
* point the summarization of that bucket, for the particual search, will be disabled. Use 0 to disable.
* Defaults to 0
max_summary_size = <int>
* Size of summary, in bytes, at which point we'll start applying the max_summary_ratio. Use 0 to disable.
* Defaults to 0
max_time = <int>
* The maximum amount of time, seconds, that a summary search process is allowed to run. Use 0 to disable.
* Defaults to 0
indextime_lag = <unsigned int>
* The amount of lag time to give indexing to ensure that it has synced any received events to disk. Effectively,
* the data that has been received in the past indextime_lag will NOT be summarized.
* Do not change this value unless directed by Splunk support.
* Defaults to 90
[transactions]
maxopentxn = <integer>
* Specifies the maximum number of not yet closed transactions to keep in the open pool before starting to evict transactions.
* Defaults to 5000.
maxopenevents = <integer>
* Specifies the maximum number of events (which are) part of open transactions before transaction eviction starts happening, using LRU policy.
* Defaults to 100000.
[inputproc]
max_fd = <integer>
* Maximum number of file descriptors that Splunk will keep open, to capture any trailing data from
files that are written to very slowly.
* Defaults to 100.
time_before_close = <integer>
* MOVED. This setting is now configured per-input in inputs.conf.
* Specifying this setting in limits.conf is DEPRECATED, but for now will override the setting for all
monitor inputs.
tailing_proc_speed = <integer>
* REMOVED. This setting is no longer used.
[scheduler]
max_searches_perc = <integer>
* The maximum number of searches the scheduler can run, as a percentage of the maximum number of concurrent
searches, see [search] max_searches_per_cpu for how to set the system wide maximum number of searches.
* Defaults to 50.
auto_summary_perc = <integer>
* The maximum number of concurrent searches to be allocated for auto summarization, as a percentage of the
concurrent searches that the scheduler can run. Note: that user scheduled searches take precedence over auto
summary searches.
* Defaults to 50.
max_action_results = <integer>
* The maximum number of results to load when triggering an alert action.
* Defaults to 10000
action_execution_threads = <integer>
* Number of threads to use to execute alert actions, change this number if your alert actions take a long
time to execute.
* This number is capped at 10.
* Defaults to 2
actions_queue_size = <integer>
* The number of alert notifications to queue before the scheduler starts blocking, set to 0 for infinite size.
* Defaults to 100
actions_queue_timeout = <integer>
* The maximum amount of time, in seconds to block when the action queue size is full.
* Defaults to 30
alerts_max_count = <integer>
* Maximum number of unexpired alerts information to keep for the alerts manager, when this number is reached
Splunk will start discarding the oldest alerts.
* Defaults to 50000
alerts_expire_period = <integer>
* The amount of time between expired alert removal
* This period controls how frequently the alerts list is scanned, the only benefit from reducing this is
better resolution in the number of alerts fired at the savedsearch level.
* Change not recommended.
* Defaults to 120.
persistance_period = <integer>
* The period (in seconds) between scheduler state persistance to disk. The scheduler currently persists
the suppression and fired-unexpired alerts to disk.
* This is relevant only in search head pooling mode.
* Defaults to 30.
max_lock_files = <int>
* The number of most recent lock files to keep around.
* This setting only applies in search head pooling.
max_lock_file_ttl = <int>
* Time (in seconds) that must pass before reaping a stale lock file .
* Only applies in search head pooling.
max_per_result_alerts = <int>
* Maximum number of alerts to trigger for each saved search instance (or real-time results preview for RT alerts)
* Only applies in non-digest mode alerting. Use 0 to disable this limit
* Defaults to 500
max_per_result_alerts_time = <int>
* Maximum number of time to spend triggering alerts for each saved search instance (or real-time results preview for RT alerts)
* Only applies in non-digest mode alerting. Use 0 to disable this limit.
* Defaults to 300
scheduled_view_timeout = <int>[s|m|h|d]
* The maximum amount of time that a scheduled view (pdf delivery) would be allowed to render
* Defaults to 60m
[auto_summarizer]
cache_timeout = <integer>
* The amount of time, in seconds, to cache auto summary details and search hash codes
* Defaults to 600 - 10 minutes
maintenance_period = <integer>
* The period of time, in seconds, that the auto summarization maintenance happens
* Defaults to 14400 (4 hours)
allow_event_summarization = <bool>
* Whether auto summarization of searches whose remote part returns events rather than results will be allowed.
* Defaults to false
max_verify_buckets = <int>
* When verifying buckets, stop after verifying this many buckets if no failures have been found
* 0 means never
* Defaults to 100
max_verify_ratio = <number>
* Maximum fraction of data in each bucket to verify
* Defaults to 0.1 (10%)
max_verify_bucket_time = <int>
* Maximum time to spend verifying each bucket, in seconds
* Defaults to 15 (seconds)
verify_delete = <bool>
* Should summaries that fail verification be automatically deleted?
* Defaults to false
max_verify_total_time = <int>
* Maximum total time in seconds to spend doing verification, regardless if any buckets have failed or not
* Defaults to 0 (no limit)
max_run_stats = <int>
* Maximum number of summarization run statistics to keep track and expose via REST.
* Defaults to 48
return_actions_with_normalized_ids = [yes|no|fromcontext]
* Report acceleration summaries are stored under a signature/hash which can be regular or normalized.
* Normalization improves the re-use of pre-built summaries but is not supported before 5.0. This config
* will determine the default value of how normalization works (regular/normalized)
* Default value is "fromcontext", which would mean the end points and summaries would be operating based on context.
* normalization strategy can also be changed via admin/summarization REST calls with the "use_normalization"
* parameter which can take the values "yes"/"no"/"fromcontext"
normalized_summaries = <bool>
* Turn on/off normalization of report acceleration summaries.
* Default = false and will become true in 6.0
detailed_dashboard = <bool>
* Turn on/off the display of both normalized and regular summaries in the Report
* acceleration summary dashboard and details.
* Default = false
[show_source]
max_count = <integer>
* Maximum number of events accessible by show_source.
* The show source command will fail when more than this many events are in the same second as the requested event.
* Defaults to 10000
max_timebefore = <timespan>
* Maximum time before requested event to show.
* Defaults to '1day' (86400 seconds)
max_timeafter = <timespan>
* Maximum time after requested event to show.
* Defaults to '1day' (86400 seconds)
distributed = <bool>
* Controls whether we will do a distributed search for show source to get events from all servers and indexes
* Turning this off results in better performance for show source, but events will only come from the initial server and index
* NOTE: event signing and verification is not supported in distributed mode
* Defaults to true
distributed_search_limit = <unsigned int>
* Sets a limit on the maximum events we will request when doing the search for distributed show source
* As this is used for a larger search than the initial non-distributed show source, it is larger than max_count
* Splunk will rarely return anywhere near this amount of results, as we will prune the excess results
* The point is to ensure the distributed search captures the target event in an environment with many events
* Defaults to 30000
[typeahead]
maxcount = <integer>
* Maximum number of typeahead results to find.
* Defaults to 1000
use_cache = [0|1]
* Specifies whether the typeahead cache will be used if use_cache is not specified in the command line or endpoint.
* Defaults to true.
fetch_multiplier = <integer>
* A multiplying factor that determines the number of terms to fetch from the index, fetch = fetch_multiplier x count.
* Defaults to 50
cache_ttl_sec = <integer>
* How long the typeahead cached results are valid, in seconds.
* Defaults to 300.
min_prefix_length = <integer>
* The minimum string prefix after which to provide typeahead.
* Defaults to 1.
max_concurrent_per_user = <integer>
* The maximum number of concurrent typeahead searches per user. Once this maximum is reached only cached
* typeahead results might be available
* Defaults to 3.
[typer]
maxlen = <int>
* In eventtyping, pay attention to first <int> characters of any attribute (such as _raw), including individual
tokens. Can be overridden by supplying the typer operator with the argument maxlen (for example, "|typer maxlen=300").
* Defaults to 10000.
[authtokens]
expiration_time = <integer>
* Expiration time of auth tokens in seconds.
* Defaults to 3600
[sample]
maxsamples = <integer>
* Defaults to 10000
maxtotalsamples = <integer>
* Defaults to 100000
[metadata]
maxresultrows = <integer>
* the maximum number of results in a single chunk fetched by the metadata command
* a smaller value will require less memory on the search head in setups with
large number of peers and many metadata results, though, setting this too
small will decrease the search performance
* default is 10000
* do not change unless instructed to do so by Splunk Support
maxcount = <integer>
* the total number of metadata search results returned by the search head;
after the maxcount is reached, any addtional metadata results received from
the search peers will be ignored (not returned)
* a larger number incurs additional memory usage on the search head
* default is 100000
[set]
maxresultrows = <integer>
* the maximum number of results the set command will use from each resultset to compute the required set operation
[input_channels]
max_inactive = <integer>
* internal setting, do not change unless instructed to do so by Splunk Support
lowater_inactive = <integer>
* internal setting, do not change unless instructed to do so by Splunk Support
inactive_eligibility_age_seconds = <integer>
* internal setting, do not change unless instructed to do so by Splunk Support
[ldap]
max_users_to_precache = <unsigned integer>
* The maximum number of users we will attempt to precache from LDAP after reloading auth
* Set this to 0 to turn off precaching
allow_multiple_matching_users = <bool>
* This controls whether we allow login when we find multiple entries with the same value for the username attribute
* When multiple entries are found, we choose the first user DN lexicographically
* Setting this to false is more secure as it does not allow any ambiguous login, but users with duplicate entries will not be able to login.
* Defaults to true
[spath]
extraction_cutoff = <integer>
* For extract-all spath extraction mode, only apply extraction to the first <integer> number of bytes
* Defaults to 5000
extract_all = <boolean>
* Controls whether we respect automatic field extraction when spath is invoked manually.
* If true, we extract all fields regardless of settings. If false, we only extract fields used by later splunk commands.
[reversedns]
rdnsMaxDutyCycle = <integer>
* generate diagnostic WARN in splunkd.log if reverse dns lookups are taking
* more than this percent of time
* range 0-100
* default 10
[viewstates]
enable_reaper = <boolean>
* Controls whether the viewstate reaper runs
* Defaults to true
reaper_freq = <integer>
* Controls how often the viewstate reaper runs
* Defaults to 86400 (1 day)
reaper_soft_warn_level = <integer>
* Controls what the reaper considers an acceptable number of viewstates
* Defaults to 1000
ttl = <integer>
* Controls the age at which a viewstate is considered eligible for reaping
* Defaults to 86400 (1 day)
[geostats]
maxzoomlevel = <integer>
* contols the number of zoom levels that geostats will cluster events on
zl_0_gridcell_latspan = <float>
* contols what is the grid spacing in terms of latitude degrees at the lowest zoom level, which is zoom-level 0
* grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level.
zl_0_gridcell_longspan = <float>
* contols what is the grid spacing in terms of longitude degrees at the lowest zoom level, which is zoom-level 0
* grid-spacing at other zoom levels are auto created from this value by reducing by a factor of 2 at each zoom-level.
filterstrategy = <integer>
* controls the selection strategy on the geoviz map. Allowed values are 1 and 2
[tscollect]
squashcase = <boolean>
* The default value of the 'squashcase' argument if not specified by the command
* Defaults to false
keepresults = <boolean>
* The default value of the 'keepresults' argument if not specified by the command
* Defaults to false
optimize_max_size_mb = <unsigned int>
* The maximum size in megabytes of files to create with optimize
* Specify 0 for no limit (may create very large tsidx files)
* Defaults to 1024
[tstats]
apply_search_filter = <boolean>
* Controls whether we apply role-based search filters when users run tstats on normal index data
* Note: we never apply search filters to data collected with tscollect or datamodel acceleration
* Defaults to true
summariesonly = <boolean>
* The default value of 'summariesonly' arg if not specified by the command
* When running tstats on an accelerated datamodel, summariesonly=false implies a mixed mode where we will fall back to search for missing TSIDX data
* summariesonly=true overrides this mixed mode to only generate results from TSIDX data, which may be incomplete
* Defaults to false
[pdf]
max_rows_per_table = <unsigned int>
* The maximum number of rows that will be rendered for a table within integrated PDF rendering
* Defaults to 1000
render_endpoint_timeout = <unsigned int>
* The number of seconds after which the pdfgen render endpoint will timeout if it has not yet finished rendering the PDF output
* Defaults to 3600
'Splunk Configure > Configure Desc.' 카테고리의 다른 글
| transforms.conf (0) | 2013.12.19 |
|---|---|
| props.conf (0) | 2013.12.09 |
| outputs.conf (0) | 2013.12.09 |
| inputs.conf (1) | 2013.12.09 |
