All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is JSON getting truncated?

tcoq
Path Finder
‎09-09-2013 05:39 AM

Hi together,

I am trying to get data via REST API input, but I'am getting this message in splunkd.log:

Truncating line because limit of 10000 has been exceeded with a line length >= 62248

It seems to be that my JSON file is to long/big.

When I take a look into splunk, I can see my JSON which is cut off in the middle. This is still a problem, because the JSON is no longer well-formed and cannot longer pre-processed.

Is there a better way to get long JSON data in? (without setting line length limit because I have got some other JSONs which a much longer than my test request)

Best regards
Steffen

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-10-2013 12:43 PM

tcoq,

you can create a props.conf with this:

[yourjsonsourcetypehere]
TRUNCATE = 999999

This should work for any json logs you throw in.

However, I wonder... are your logs linebreaking properly? It's not often that I see json events that are that long.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

tcoq
Path Finder
‎09-12-2013 05:47 AM

Great! I switched to TRUNCATE=0 and it works!

0 Karma
Reply
Solved! Jump to solution
Solution

mloven_splunk
Splunk Employee
Splunk Employee
‎09-10-2013 12:43 PM

tcoq,

you can create a props.conf with this:

[yourjsonsourcetypehere]
TRUNCATE = 999999

This should work for any json logs you throw in.

However, I wonder... are your logs linebreaking properly? It's not often that I see json events that are that long.

0 Karma
Reply
Solved! Jump to solution

davedoucette
Loves-to-Learn
‎03-11-2022 10:36 AM

Where do I put the props.conf file on a windows system?

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎09-11-2013 11:35 AM

You may try TRUNCATE = 0. Details:

TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.

Reply
Solved! Jump to solution

napomokoetle
Communicator
‎11-22-2016 12:37 AM

I am experiencing this same problem. But the TRUNCATE = 0 setting doesn't seem to fix the issue for me.

Did you add this parameter on the Universal Forwarder, or on the Indexer?
Or does it not matter?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...