All Apps and Add-ons
Highlighted

TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Communicator

Apologies if this has been asked before - or if the answer is all too obvious...

Where is the TRUNCATE setting for sourcetype="web_ping:response", for "website monitoring" app? Just updated the app to the latest release (2.9.1) which adds "Save the response body" option and it seems the response is truncated at 1,000 characters.

Thanks!

0 Karma
Highlighted

Re: TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Ultra Champion

Truncation settings apply at the parsing stage, so you need to make sure it’s set in the appropriate server for your deployment.

If the website monitoring app is collecting on a heavy forwarder you should set it on the HF.

If instead you run it on your search head, you should configure it there.

In both cases, the path you need to set it in is $SPLUNK_HOME/etc/apps/app name/local/props.conf

0 Karma
Highlighted

Re: TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Ultra Champion

Truncate is set in props.conf

The default value for truncate is 10,000 bytes .
If you wish to disable truncation set 'TRUNCATE = 0`

0 Karma
Highlighted

Re: TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Communicator

The default value for truncate is 10,000 bytes

That's correct for my environment. Why does it truncate at 1K then?

Truncate is set in props.conf

You're saying, it's in on a master node in /opt/splunk/etc/master-apps/_cluster/local/props.conf (assuming default locations) and not in any other file that is specific to the app (e.g. somewhere in /opt/splunk/etc/apps/website_monitoring/ on the search head) and should look something like,

[web_ping:response]
TRUNCATE = 0   # or some other number

?

0 Karma
Highlighted

Re: TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Communicator

In both cases, the path you need to set it in is $SPLUNK_HOME/etc/apps/app name/local/props.conf

It's on a search head and creating /opt/splunk/etc/apps/website_monitoring/local/props.conf (there wasn't such file there before) with the following stanza and restarting Splunk didn't change the behavior.

[web_ping:response]
TRUNCATE = 0

... it's still truncating at 1K characters.

If you want to check if the app is limiting its own truncation check $SPLUNK_HOME/etc/apps/app name/ldefault/props.conf

Here is what's in /opt/splunk/etc/apps/website_monitoring/default/props.conf:

[source::...web_availability_modular_input.log]
sourcetype=web_availability_modular_input

[source::...website_monitoring_rest_handler.log]
sourcetype=website_monitoring_rest_handler

...

0 Karma
Highlighted

Re: TRUNCATE for sourcetype="web_ping:response", for "website monitoring" app?

Communicator

@mitag Website Monitoring actually has a separate parameter that can be set to determine the amount of http response to be included when the response body is enabled. The script that performs the ping will then capture up to that amount and store it in the web_ping:response sourcetype.

The default is set in the websitemonitoring.conf file with the the parameter named *maxresponsebodylength*. The README incorrectly lists the default as -1 (unlimited). The bin/webping.py script (see line 727 and line 758) actually sets the default to 1000 if it is not set in the configuration file. Right now, this is a hidden configuration item that you need to manually set in your local/websitemonitoring.conf file if you want it greater than 1000 or at -1 (disabled).

The default truncate for the heavy forwarder where you have Website Monitoring or the TRUNCATE= value in your props.conf for default or the webping stanza may override the *maxresponsebodylength* parameter. You may need to adjust that setting in props.conf as well.

View solution in original post