https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109324#M22982 <P>Hi bruceclarke,</P> <P>What kind of forwarder is it? <BR /> If it is a heavy forwarder, place the props.conf on it; if it is a universal forwarder place the props.conf on the indexer. <BR /> Read this nice wiki post to learn more about this <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A></P> <P>You can also check <CODE>splunkd.log</CODE> for something like this <CODE>WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded</CODE> to verify if it is really a truncating problem.</P> <P>Also run <CODE>$SPLUNK_HOME/bin/splunk cmd btool props list YourSourceType | grep TRUNCATE</CODE> to verify your <CODE>props.conf</CODE> is applied.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Tue, 07 Jul 2015 22:29:13 GMT MuS 2015-07-07T22:29:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109323#M22981 <P>All,</P> <P>I'm forwarding data from a Splunk forwarder that has one field with a long value (over 10k characters). I want to have Splunk index this field without truncating the value. I've set props.conf to have <CODE>TRUNCATE = 0</CODE> for the appropriate sourcetype. I also modified limits.conf to have <CODE>maxchars=1000000</CODE> for the kv stanza. Neither worked.</P> <P>I'm also unclear if this is actually a limits issue, since I run the following query and get a different value for the length of the field. Typically the length is around 3900 characters, but it fluctuates by +/- 100 characters.</P> <P><CODE>sourcetype=sourceTypeWithTruncatedField | eval l = len(truncatedField)</CODE></P> <P>Why else might Splunk be truncating this field? I know the field isn't truncating in the log file we're forwarding, so I assume the issue is occurring on index.</P> Tue, 07 Jul 2015 22:08:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109323#M22981 bruceclarke 2015-07-07T22:08:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109324#M22982 <P>Hi bruceclarke,</P> <P>What kind of forwarder is it? <BR /> If it is a heavy forwarder, place the props.conf on it; if it is a universal forwarder place the props.conf on the indexer. <BR /> Read this nice wiki post to learn more about this <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A></P> <P>You can also check <CODE>splunkd.log</CODE> for something like this <CODE>WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded</CODE> to verify if it is really a truncating problem.</P> <P>Also run <CODE>$SPLUNK_HOME/bin/splunk cmd btool props list YourSourceType | grep TRUNCATE</CODE> to verify your <CODE>props.conf</CODE> is applied.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Tue, 07 Jul 2015 22:29:13 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109324#M22982 MuS 2015-07-07T22:29:13Z https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109325#M22983 <P>It should be a universal forwarder, but good point. I'll double check this. And thanks for the command line options - even if they don't help debug this issue, they're great to have.</P> Wed, 08 Jul 2015 18:51:34 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109325#M22983 bruceclarke 2015-07-08T18:51:34Z https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109326#M22984 <P>It looks like this input was set up using a powershell script that queries a SQL database for information. I believe the truncation was actually on SQL's end. It only prints the first 8000 characters of the column.</P> <P>I'm looking into the issue more, but this should be enough to go on for now.</P> Thu, 09 Jul 2015 14:57:38 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-truncates-field-prior-to-indexing/m-p/109326#M22984 bruceclarke 2015-07-09T14:57:38Z