https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457156#M78982 <P>I would push VERY HARD for migrating away from syslog-direct-to-Indexer by adding a syslog-ng node and either doing either this:<BR /> <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A><BR /> Or this:<BR /> <A href="https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html">https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html</A></P> <P>If you get your RegEx wrong and you have huge volume, then you can crash your Indexers using <CODE>TRUNCATE=0</CODE> which is why we just keep adding <CODE>9</CODE>s to the order of magintude that we expect (e.g. <CODE>TRUNCATE = 999999</CODE>).</P> <P>To look for truncated events, look for the "leftover" pieces with a search like this:</P> <PRE><CODE>index=&lt;You Should Always Specify Your index&gt; AND sourcetype=&lt;And Your sourcetype Too&gt; | where _time == _indextime </CODE></PRE> <P>Or you can do</P> <PRE><CODE>... | regex punct!="^&lt;Your Normal Punct beginning here&gt;" </CODE></PRE> Mon, 08 Jul 2019 16:47:01 GMT woodcock 2019-07-08T16:47:01Z https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457154#M78980 <P>what is the expected impact of increasing the value for TRUNCATE, the log reception upper limit setting value that can be defined in the indexer props.conf.<BR /> Also, is there any problem cases with TRUNCATE increased or 0 (unlimited).<BR /> 　　</P> <P>Further, in the customer environment, with index server directly receiving proxy log by syslog transfer, we plan to change the value to TRUNCATE = 64,000.<BR /> 　 <BR /> Is there a way to verify that a log (truncated log) that exceeds the TRUNCATE value has occurred?</P> <P>Can I assume that the log of the truncated part cannot be recovered? </P> Sun, 07 Jul 2019 19:53:14 GMT https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457154#M78980 simon21 2019-07-07T19:53:14Z https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457155#M78981 <P>If you are seeing events being truncated (regularly seeing "truncating" in splunkd.log) then increasing the value of TRUNCATE for that sourcetype should help eliminate the truncations.<BR /> Increasing the value for TRUNCATE increases indexer memory use. Likewise, for setting the value to zero.</P> <P>It's not Best Practice for an indexer to receive syslog events directly. It's preferred to have a dedicated syslog server and use a forwarder to send the events to Splunk.</P> <P>The new value for TRUNCATE should be a little higher than the longest message you've seen truncated in splunkd.log. </P> <P>Truncated data is lost and cannot be recovered unless it is re-indexed. Of course, re-indexing probably is not possible when receiving syslog directly (which is another reason to not do it).</P> Sun, 07 Jul 2019 20:46:08 GMT https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457155#M78981 richgalloway 2019-07-07T20:46:08Z https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457156#M78982 <P>I would push VERY HARD for migrating away from syslog-direct-to-Indexer by adding a syslog-ng node and either doing either this:<BR /> <A href="http://www.georgestarcher.com/splunk-success-with-syslog/">http://www.georgestarcher.com/splunk-success-with-syslog/</A><BR /> Or this:<BR /> <A href="https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html">https://www.splunk.com/blog/2017/03/30/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html</A></P> <P>If you get your RegEx wrong and you have huge volume, then you can crash your Indexers using <CODE>TRUNCATE=0</CODE> which is why we just keep adding <CODE>9</CODE>s to the order of magintude that we expect (e.g. <CODE>TRUNCATE = 999999</CODE>).</P> <P>To look for truncated events, look for the "leftover" pieces with a search like this:</P> <PRE><CODE>index=&lt;You Should Always Specify Your index&gt; AND sourcetype=&lt;And Your sourcetype Too&gt; | where _time == _indextime </CODE></PRE> <P>Or you can do</P> <PRE><CODE>... | regex punct!="^&lt;Your Normal Punct beginning here&gt;" </CODE></PRE> Mon, 08 Jul 2019 16:47:01 GMT https://community.splunk.com/t5/Getting-Data-In/Truncate-in-props-conf/m-p/457156#M78982 woodcock 2019-07-08T16:47:01Z