Skip to main content
Skip table of contents

KB 89 - Splunk KV Extraction Limit

KB 89 (Splunk): Splunk KV Extraction Limit

Category: Information

Priority: Normal

Platform: Splunk

Version: 1 from 23.03.2021

Description

If the data in your Splunk instance may have an event size greater than 10240 characters then Splunk won’t auto-extract kv-pairs after 10240 characters. So there are two ways of overcoming this problem:

  1. Using props.conf (Note: This method only works if you have data in the form of JSON)

  2. Using limits.conf

Using props.conf

  • Go to $SPLUNK_HOME$/etc/apps/BNW-app-powerconnect/local/ directory.

  • If there exist a file named props.conf then edit and if it doesn’t exist create one.

  • There are two ways you can apply the settings:

    • For specific sourcetype or host or source (preferred way)

    • Globally apply settings

For a specific sourcetype. host, or source:

For a specific sourcetype:

Let’s say you want to apply for sourcetype=sap:java

For a specific source:

Let’s say you want to apply for source=N71

For a specific host:

Let’s say you want to apply for host=SAPN71D

Important Note: Restart Splunk for the changes to take effect

Globally apply settings:

Note: If there are same settings applied for any specific sourcetype, host or source then these settings won’t override them.
Add the following content to your props.conf file.

Important Note: Restart Splunk for the changes to take effect

Using limits.conf

  • Go to $SPLUNK_HOME$/etc/system/local/ directory.

  • If there exist a file named limits.conf then edit and if it doesn’t exist create one.

  • Add the following content to the file:

Note: You can specify the character limit as per your requirement.

If the file already has [kv] stanza then just add the maxchars = 2500000 line in that stanza to increase the character limit to 2500000 characters.

Important Note: Restart Splunk to make these changes into effect.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.