https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30257#M5277 <P>Change <CODE>MAX_EVENTS</CODE> for your sourcetype in props.conf.</P> <PRE><CODE>MAX_EVENTS = &lt;integer&gt; * Specifies the maximum number of input lines to add to any event. * Splunk breaks after the specified number of lines are read. * Defaults to 256 (lines). </CODE></PRE> Wed, 07 Dec 2011 17:46:41 GMT Ayn 2011-12-07T17:46:41Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30256#M5276 <P>I am eating NESSUS.V1 files from our Nessus contiues monitoring system</P> <P>Nessus puts the output from the scan in XML format in the v1 files and the indivitule system info is put in a one event format when it is read into Splunk indexer.</P> <P>The problem is some of the events are more than 257 lines and Splunk is truncating the events at 257.<BR /><BR /> Then I lose some of the event integrity and I have to go look at the very next event to get the rest of the data. </P> <P>How can I increase the number of lines for this source or source type?</P> Wed, 07 Dec 2011 17:41:29 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30256#M5276 hartfoml 2011-12-07T17:41:29Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30257#M5277 <P>Change <CODE>MAX_EVENTS</CODE> for your sourcetype in props.conf.</P> <PRE><CODE>MAX_EVENTS = &lt;integer&gt; * Specifies the maximum number of input lines to add to any event. * Splunk breaks after the specified number of lines are read. * Defaults to 256 (lines). </CODE></PRE> Wed, 07 Dec 2011 17:46:41 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30257#M5277 Ayn 2011-12-07T17:46:41Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30258#M5278 <P>Also, I would be very interested to hear what you're doing and what you want to do with Nessus reports in Splunk. I'm in the process of creating an app for Nessus and some other vulnerability scanners so I'm very thankful for all input!</P> Wed, 07 Dec 2011 17:47:46 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30258#M5278 Ayn 2011-12-07T17:47:46Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30259#M5279 <P>thanks Ayn,</P> <P>I found this post after I asked the question</P> <P><A href="http://splunk-base.splunk.com/answers/6764/events-chunked-into-256-lines">http://splunk-base.splunk.com/answers/6764/events-chunked-into-256-lines</A></P> <P>Thanks again</P> Wed, 07 Dec 2011 17:49:11 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30259#M5279 hartfoml 2011-12-07T17:49:11Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30260#M5280 <P>Ayn,</P> <P>Do you think I should modify the props.conf in the universal forwarder app "/etc/deployment-apps/appName/Local" or the indexer "etc/system/local" ?</P> Wed, 07 Dec 2011 18:11:53 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30260#M5280 hartfoml 2011-12-07T18:11:53Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30261#M5281 <P>Line breaking is done on the indexer, so that's where the props.conf changes should go.</P> Wed, 07 Dec 2011 18:18:19 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30261#M5281 Ayn 2011-12-07T18:18:19Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30262#M5282 <P>Well, line breaking hapens whereever the parsing occurs. With a Universal Forwarder, it is indeed on the indexer, but details are: <A href="http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F">http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F</A></P> Wed, 07 Dec 2011 18:48:31 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30262#M5282 gkanapathy 2011-12-07T18:48:31Z https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30263#M5283 <P>Well in this case it was either on a UF or an indexer, so...</P> Wed, 07 Dec 2011 20:35:08 GMT https://community.splunk.com/t5/Getting-Data-In/File-Eating/m-p/30263#M5283 Ayn 2011-12-07T20:35:08Z