I just add a new BlueCoat box as my new proxies.
After configured it just like my actual one, the logs arrived on the Heavy Forwarder ethernet interface, but they arrived fragmented on multiple small frames, With approx 1600 Users logged on this new proxy, I'm quite sure that the logs received are not complete.
My SGOS version is 220.127.116.11
Does anybody encounter this kind of problem?
Can you add some more context to your post? Maybe include some sample events showing how they are fragmented.
How do you send your data ?
If you send by syslog, some options on syslog server are sending data by block, not taking into account the end of the line to cut the blocks.
Olivier : to complete micahkemp answer :
1. can you share your inputs and props config using btool ? (ec : command to list props is : ./splunk cmd btool props list )
2.please do check internal log for fragmentation to validate that splunk is splitting events and not something else in the chain (a syslog server could split for example) : search for index=_internal sourcetype=splunkd truncating.