We have a universal forwarder that monitors json files with number of keys>500. We need to parse this during index time, since we don't want to affect search performance during search time. By default splunk only extracts 100 fields and I need to add below configurations in limits.conf to increase this.
[kv]
avg_extractor_time = 500
limit = 1000
max_extractor_time = 1000
maxchars = 51200
maxcols = 1024
**My question is where do I need to add these configurations, on universal forwarder or on indexer servers?**
I referred **"4. Detail Diagram - UF/LWF to Indexer"** in this page [https://wiki.splunk.com/Community:HowIndexingWorks][1]. But this doesn't tell where to configure inputs.conf exactly.
One more thing below configurations are already added in props.conf on universal forwarder to parse json data.
[sourcetype]
INDEXED_EXTRACTIONS = json
KV_MODE=none
[1]: https://wiki.splunk.com/Community:HowIndexingWorks
↧