https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93214#M19388 <P>Not sure if this will help, but did you try setting TRUNCATE = 0? Also, you should keep in mind that MAX_EVENTS only take affect if SHOULD_LINEMERGE = true.</P> Mon, 28 Sep 2020 09:31:13 GMT jbsplunk 2020-09-28T09:31:13Z https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93213#M19387 <P>Hi,</P> <P>I'm using an UDP connection with syslog and Splunk. </P> <P>My problem is that Splunk only show me the firsts 2072 characters of a log. I try to increase the values of "TRUNCATE" and "MAX_EVENTS" inside the props.conf, but it didn't work.</P> <P>Also I checked with Wireshark that the logs are sended correctly with syslog.</P> <P>Any suggestions?</P> <P>Thanks.</P> Mon, 02 May 2011 07:24:11 GMT https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93213#M19387 torbael 2011-05-02T07:24:11Z https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93214#M19388 <P>Not sure if this will help, but did you try setting TRUNCATE = 0? Also, you should keep in mind that MAX_EVENTS only take affect if SHOULD_LINEMERGE = true.</P> Mon, 28 Sep 2020 09:31:13 GMT https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93214#M19388 jbsplunk 2020-09-28T09:31:13Z https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93215#M19389 <P>I was told that Splunk's syslog implementation is 'RFC compliant' so that it only accepts the first 1KB of a syslog message. Maybe you are running into something related to that limitation?</P> Thu, 19 May 2011 21:17:18 GMT https://community.splunk.com/t5/Getting-Data-In/truncate-logs-with-syslog/m-p/93215#M19389 jaoui 2011-05-19T21:17:18Z