All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Large JSONs are truncated at 4KB

pschildein
Explorer
‎05-14-2018 07:49 AM

TRUNCATE is set to 0 => so no truncation there, still events are truncated after 3969 signs => 4 KB on disk

Splunk runs on one system, RabbitMQ on another system, events are ingested via STDOUT

We already checked that the events are correctly transferred via RabbitMQ so there must be something in Splunk and/or the add-on. Maybe this is a problem in the Python wrapper or Java? Or are there additional settings for STDOUT?

Thanks in advance for your replies!

0 Karma
Reply

woodcock
Esteemed Legend
‎02-13-2019 07:09 PM

Here are the steps:
Put TRUNCATE=0 in props.conf for your sourcetype (if you have overridden/rewritten sourcetype, you MUST USE THE ORIGINAL VALUE).
Deploy this to all Heavy Forwarders and Indexers.
Restart all Splunk instances there.
Send new data in.
Test changes with a search using All time on the Timepicker and index_earliest=-5m in your search SPL to ensure that you are doing a valid test search.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎01-03-2019 05:29 PM

Try TRUNCATE=0 in props.conf for your sourcetype

Many answers about this here already , just search around

0 Karma
Reply

paulbannister
Communicator
‎05-15-2018 05:02 AM

Might be unrelated, I had a similar issue with a large JSON input doing this even with Truncate set to 0

It was resolved by setting the "Response Handler" in the input to "JSONArrayHandler", this was an API input however so unsure if it relates to yours... but I thought I'd share just in case

0 Karma
Reply

pschildein
Explorer
‎01-03-2019 01:59 AM

Hi, thanks but I think that does not apply to our case. We are handling large individual json objects not arrays. Also it is not an API input but stdout.

0 Karma
Reply

Damien_Dallimor
Ultra Champion
‎05-14-2018 02:22 PM

Any errors in the logs ? (search : index=_internal error amqp.py)

What does your config look like ? (your amqp stanza in inputs.conf)

0 Karma
Reply

pschildein
Explorer
‎05-14-2018 09:11 PM

No error in the logs

[amqp://alerts]
ack_messages = 1
hec_batch_mode = 0
hec_https = 0
hostname = amqp-server
index_message_envelope = 0
index_message_propertys = 0
output_type = stdout
password = xxx
port = 5672
queue_name = amqp-queue
sourcetype = alerts
use_ssl = 0
username = xxxx
index = index
disabled = 0
exchange_name = alerts
hec_token = yyyyyyyyyyyyyyyyyyyy
host =

0 Karma
Reply

pschildein
Explorer
‎01-03-2019 01:58 AM

Hi, we still have the above mentioned problem, anything new there? Thanks! If you need more information please let me know.

0 Karma
Reply

mckenzie19
Engager
‎11-28-2020 09:18 AM

@pschildein I also have this issue. Truncating at 4KB and cannot see any logic why. Did you make any progress?

0 Karma
Reply

pschildein
Explorer
‎11-29-2020 09:23 PM

No, we changed our input to use HEC directly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...