KB 089 – Splunk KV Extraction Limit

Splunk KV Extraction Limit

Steps to Increase Key-Value Pair Extractions Limit in Splunk

If the data in your Splunk instance may have an event size greater than 10240 characters
then Splunk won’t auto-extract kv-pairs after 10240 characters. So there are two ways of
overcoming this problem:

  1. Using props.conf (Note: This method only works if you have data in the form of JSON)
  2. Using limits.conf

1. Using props.conf:

Step 1: Go to $SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/local/ directory.

Splunk KV Extraction Limit 1

Step 2: If there exist a file named props.conf then edit and if it doesn’t exist create one.

Step 3: There are two ways you can apply the settings.

  • For specific sourcetype or host or source (preferred way)
  • Globally apply settings

a. For specific sourcetype or host or source:

For a specific sourcetype:
Let’s say you want to apply for sourcetype=sap:java

Splunk KV Extraction Limit

For a specific source:
Let’s say you want to apply for source=N71

Splunk KV Extraction Limit

For a specific host:
Let’s say you want to apply for host=SAPN71D

b. Globally apply settings:
Note: If there are same settings applied for any specific sourcetype, host or source then these settings won’t override them.
Add the following content to your props.conf file.

Splunk KV Extraction Limit

Final Step: Restart Splunk to make these changes into effect.

2. Using limits.conf

Step 1: Go to $SPLUNK_HOME$/etc/system/local/ directory.

Splunk KV Extraction Limit

Step 2: If there exist a file named limits.conf then edit and if it doesn’t exist create one.

Step 3: Add the following content to the file:

Note: You can specify the character limit as per your requirement.

Splunk KV Extraction Limit

If the file already has [kv] stanza then just add the maxchars = 2500000 line in that stanza to increase the character limit to 2500000 characters.

Final Step: Restart Splunk to make these changes into effect.

Download PDF version here