topic Re: setting maximum input/log entry size in Getting Data In

setting maximum input/log entry size

tedder — Wed, 15 Sep 2010 23:48:38 GMT

So I have the following in inputs.conf:

[udp://10005]
connection_host =
index = serverlogs
sourcetype = syslog
disabled = 1

The entries appear to be truncated; how do I increase the input length so I can get full stack traces, for instance? What's the default length?

Re: setting maximum input/log entry size

ziegfried — Wed, 15 Sep 2010 23:52:58 GMT

You might want to take a look at the line-breaking/merging options in props conf. http://www.splunk.com/base/Documentation/latest/Admin/Propsconf

Especially TRUNCATE and MAX_EVENTS.

Update:

TRUNCATE is set to 10000 by default and MAX_EVENTS to 256. Probably MAX_EVENTS is the bottleneck in your case. You could try setting the following in $SPLUNK_HOME/etc/system/local/props.conf:

[syslog]
MAX_EVENTS=1000

Which would allow 1000 lines to be merged to a single event.

If you're using Splunk in LWF (lightweight forwarder) mode on the forwarder, then you have to configure this on the indexer, otherwise on the forwarder.

Re: setting maximum input/log entry size

tedder — Thu, 16 Sep 2010 03:06:44 GMT

Thanks, Ziegfried. I'm seeing ~2000 characters, but [SYSLOG] isn't set to "TRUNCATE=2000". In fact, that one isn't set. Is 2000 a default? If I add "TRUNCATE=10000, will that do it? (and does this go on my forwarder or my indexers?)

Re: setting maximum input/log entry size

ziegfried — Thu, 16 Sep 2010 14:58:00 GMT

Updated the answer...