KB 089 – Splunk KV Extraction Limit
Splunk KV Extraction Limit
Steps to Increase Key-Value Pair Extractions Limit in Splunk
If the data in your Splunk instance may have an event size greater than 10240 characters
then Splunk won’t auto-extract kv-pairs after 10240 characters. So there are two ways of
overcoming this problem:
- Using props.conf (Note: This method only works if you have data in the form of JSON)
- Using limits.conf
1. Using props.conf:
Step 1: Go to $SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/local/ directory.
Step 2: If there exist a file named props.conf then edit and if it doesn’t exist create one.
Step 3: There are two ways you can apply the settings.
- For specific sourcetype or host or source (preferred way)
- Globally apply settings
a. For specific sourcetype or host or source:
For a specific sourcetype:
Let’s say you want to apply for sourcetype=sap:java
For a specific source:
Let’s say you want to apply for source=N71
For a specific host:
Let’s say you want to apply for host=SAPN71D
b. Globally apply settings:
Note: If there are same settings applied for any specific sourcetype, host or source then these settings won’t override them.
Add the following content to your props.conf file.
Final Step: Restart Splunk to make these changes into effect.
2. Using limits.conf
Step 1: Go to $SPLUNK_HOME$/etc/system/local/ directory.
Step 2: If there exist a file named limits.conf then edit and if it doesn’t exist create one.
Step 3: Add the following content to the file:
Note: You can specify the character limit as per your requirement.
If the file already has [kv] stanza then just add the maxchars = 2500000 line in that stanza to increase the character limit to 2500000 characters.
Final Step: Restart Splunk to make these changes into effect.