https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470190#M80859 <P><A href="https://answers.splunk.com/answers/577522/json-file-getting-truncated.html">json-file-getting-truncated</A></P> <P>how about this?</P> Sat, 28 Dec 2019 00:54:05 GMT to4kawa 2019-12-28T00:54:05Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470189#M80858 <P>Valid json gets truncated for some reason. Below is the props.conf file:</P> <P>TRUNCATE = 0<BR /> KV_MODE = json<BR /> NO_BINARY_CHECK = true<BR /> BREAK_ONLY_BEFORE = ^\x7B<BR /> LINE_BREAKER = ([\r\n]+)(\x7B)<BR /> SHOULD_LINEMERGE = false<BR /> DATETIME_CONFIG = CURRENT</P> <P>Any suggestions?</P> Wed, 30 Sep 2020 03:26:38 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470189#M80858 gkapitany 2020-09-30T03:26:38Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470190#M80859 <P><A href="https://answers.splunk.com/answers/577522/json-file-getting-truncated.html">json-file-getting-truncated</A></P> <P>how about this?</P> Sat, 28 Dec 2019 00:54:05 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470190#M80859 to4kawa 2019-12-28T00:54:05Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470191#M80860 <P>I've tried also a few alternate line breakers with no success:</P> <P>LINE_BREAKER = ([\r\n]+)(\x7B(\x22))audit<BR /> LINE_BREAKER = ([\r\n]+)(\x7B)audit<BR /> LINE_BREAKER = ([\r\n]*)(?={)<BR /> no line breaker and INDEXED_EXTRACTIONS = json</P> <P>Below is the beginning of the json (truncated here to keep the post clean)<BR /> {"audit":"16463","hostScore":"0","name":"to8pt.sample.com","macAddress":"","os":"OS Undetermined",</P> Wed, 30 Sep 2020 03:29:44 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470191#M80860 gkapitany 2020-09-30T03:29:44Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470192#M80861 <P><CODE>LINE_BREAKER = ([\r\n]*)(?=\{)</CODE><BR /> How about this?<BR /> you should do escape the character "{"</P> Mon, 30 Dec 2019 21:32:57 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470192#M80861 to4kawa 2019-12-30T21:32:57Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470193#M80862 <P>It didn't work either.</P> Tue, 31 Dec 2019 18:17:10 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470193#M80862 gkapitany 2019-12-31T18:17:10Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470194#M80863 <PRE><CODE>TRUNCATE = 0 KV_MODE = json NO_BINARY_CHECK = true LINE_BREAKER = ([\r\n]+)(?=\{) SHOULD_LINEMERGE = false DATETIME_CONFIG = CURRENT </CODE></PRE> <P>How many logs are actually there and how many are trancated?<BR /> Also, is it LINE_BREAKER that doesn't work?<BR /> I think it's different from your question.</P> <P><A href="https://answers.splunk.com/answers/511589/how-to-configure-line-breaking-for-my-sample-json.html">JSON props.conf</A></P> Tue, 31 Dec 2019 22:01:25 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470194#M80863 to4kawa 2019-12-31T22:01:25Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470195#M80864 <P>Could you try to do a <CODE>| eval eventlenght = len(_raw)</CODE> to see if Splunk truncates at the same position every time?</P> Wed, 01 Jan 2020 13:52:45 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470195#M80864 rvaglid 2020-01-01T13:52:45Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470196#M80865 <P>Everything gets truncated eventually, unless you use the (somewhat dangerous) <CODE>TRUNCATE = 0</CODE> setting. Up your value for <CODE>TRUNCATE</CODE>:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <PRE><CODE>#****************************************************************************** # Line breaking #****************************************************************************** # Use the following attributes to define the length of a line. TRUNCATE = &lt;non-negative integer&gt; * Change the default maximum line length (in bytes). * Although this is in bytes, line length is rounded down when this would otherwise land mid-character for multi-byte characters. * Set to 0 if you never want truncation (very long lines are, however, often a sign of garbage data). * Defaults to 10000 bytes. </CODE></PRE> <P>You should be getting logs like this:</P> <PRE><CODE>01-01-2020 18:40:37.625 +0000 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded </CODE></PRE> Wed, 01 Jan 2020 16:08:24 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470196#M80865 woodcock 2020-01-01T16:08:24Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470197#M80866 <P>Hi,</P> <P>No , there isn't any log record about truncation due to length. The reason I set TRUNCATE = 0 was to eliminate any potential issue due to length. The intent is to set it to 30000 once I figure out why it gets truncated. </P> <P>All error messages are like the one below but with different values:<BR /> ERROR JsonLineBreaker - JSON StreamId:18294845293918380307 had parsing error:Unexpected character while looking for value: 'r' - da<BR /> ta_source="/opt/splunk/vne2splunk/log.json", data_host="splmx1.sample.com", data_sourcetype="_json"</P> <P>Some logs are parsed correctly like the one below:<BR /> {<BR /> "audit": "16489",<BR /> "hostScore": "0",<BR /> "name": "to8pt.sample.com",<BR /> "macAddress": "",<BR /> "os": "OS Undetermined",<BR /> "vulnerabilities": "1",<BR /> "netbiosName": "",<BR /> "application": {<BR /> "": "port - 5040",<BR /> "id: 6119 Application: DCE/MS RPC Endpoint Mapper Interface (TCP) description: DCE/MS RPC Endpoint Mapper Interface. parent: 165": "port - 135",<BR /> "id: 165 Service: DCE/MS RPC over TCP description: Microsoft RPC (Remote Procedure Call) over TCP is used by many services, including: DHCP Manager, DNS Administration, WINS Manager, Exchange Client/Server, Exchange Administrator and RPC. Third party applications, such as Symantec/Veritas BackupExec, may also make use of it. protocol: tcp transport: n/a parentid: n/a": "port - 135",<BR /> "id: 8037 Service: IPv4 Layer 4 description: Generic Layer 3 / Layer 4 RAW socket access. protocol: ip transport: n/a parentid: n/a": "port - 0"<BR /> },<BR /> "timeStamp": "2020-01-02 00:03:56",<BR /> "ipAddress": "172.16.25.32",<BR /> "id": "4128157",<BR /> "network": "INT - Transports"<BR /> }</P> <P>The only difference is that the "application " object varies in length. One example I have is in Splunk gets truncated at 14,532 character, but the original json has 15,071 characters.</P> <P>This leads me to believe that the issue is related to some character sequence but not sure which one.</P> Wed, 30 Sep 2020 03:34:56 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470197#M80866 gkapitany 2020-09-30T03:34:56Z https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470198#M80867 <P>Hi rvaglid,</P> <P>I ran the suggested eval on a few entries and the truncation position is not consistent:<BR /> 11170<BR /> 12231<BR /> 13721<BR /> 11331</P> <P>Like I mentioned above it doesn't appear that the truncation occurs due to length but rather a character sequence. </P> Thu, 02 Jan 2020 13:24:10 GMT https://community.splunk.com/t5/Getting-Data-In/json-gets-truncated/m-p/470198#M80867 gkapitany 2020-01-02T13:24:10Z