https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318932#M59583 <P>We are collecting from UF</P> Wed, 11 Apr 2018 07:21:21 GMT payal23 2018-04-11T07:21:21Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318927#M59578 <P>I want more than 10,000 lines to merge and show in a single event.</P> <PRE><CODE>[tally_nightly_prd] SHOULD_LINEMERGE=true NO_BINARY_CHECK=true CHARSET=UTF-8 TRUNCATE=0 disabled=false BREAK_ONLY_BEFORE=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted MAX_EVENTS=90000 TIME_FORMAT=%+ TIME_PREFIX=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted </CODE></PRE> Tue, 10 Apr 2018 11:54:33 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318927#M59578 payal23 2018-04-10T11:54:33Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318928#M59579 <P>And what exactly is your question? Is your current config not working as expected? If so: what is the expected outcome and what outcome are you now getting?</P> <P>Also a bit more context around the data you're ingesting and what you are trying to achieve would probably help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 10 Apr 2018 12:24:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318928#M59579 FrankVl 2018-04-10T12:24:05Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318929#M59580 <P>In between my file start and end points there are number of lines in between which is more than 10,000 and i want all the lines to come under one event. But the breaking is not happening in that way. In mid it is breaking anywhere.</P> Tue, 10 Apr 2018 13:01:36 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318929#M59580 payal23 2018-04-10T13:01:36Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318930#M59581 <P>And how are you collecting this data? With a HF or a UF and how/where is it then forwarded?</P> Tue, 10 Apr 2018 13:32:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318930#M59581 FrankVl 2018-04-10T13:32:49Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318931#M59582 <P>Just want to make sure you're aware that having that many line in a single event will not give you a pleasant Splunk UI experience when viewing the same. Assuming you still want to do it, give this a try</P> <PRE><CODE> [tally_nightly_prd] SHOULD_LINEMERGE=false LINE_BREAKER = ([\r\n]+)(?=(\*){12}\snightlyProcess\sStarted) TRUNCATE=0 MAX_EVENTS=90000 TIME_FORMAT=%+ TIME_PREFIX=^\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted </CODE></PRE> Tue, 10 Apr 2018 18:47:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318931#M59582 somesoni2 2018-04-10T18:47:31Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318932#M59583 <P>We are collecting from UF</P> Wed, 11 Apr 2018 07:21:21 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318932#M59583 payal23 2018-04-11T07:21:21Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318933#M59584 <P>And is that UF sending to a single indexer/HF or to a load balanced pool of destinations (e.g. indexer cluster, multiple intermediate forwarders...)?</P> Wed, 11 Apr 2018 07:42:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318933#M59584 FrankVl 2018-04-11T07:42:31Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318934#M59585 <P>Thanks...Yes, logs are having big xml payload and hence merging in an event will make sense.</P> <P>I tried the above but now the lines are breaking in single line. </P> <P><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> </P> Mon, 16 Apr 2018 01:12:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318934#M59585 payal23 2018-04-16T01:12:26Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318935#M59586 <P>Sending to indexer cluster</P> Mon, 16 Apr 2018 01:12:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318935#M59586 payal23 2018-04-16T01:12:58Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318936#M59587 <P>you can increase the truncate parameter to 40k or 50k. </P> Thu, 16 Apr 2020 20:03:04 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318936#M59587 manishankark04 2020-04-16T20:03:04Z https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318937#M59588 <P>hello</P> <P>open the limits.conf and configration maxchars=10240</P> Fri, 17 Apr 2020 06:46:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-more-than-10-000-lines-into-a-single-event/m-p/318937#M59588 jinseong 2020-04-17T06:46:07Z