All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is dest_content in http stream data getting truncated after updating Splunk App for Stream from 6.1.0 to 6.2.2?

heath
Path Finder
‎06-17-2015 09:55 AM

We updated stream from 6.1.0 to 6.2.2. Since then the http response data in dest_content has been getting truncated at random locations. The maximum size of dest_content went from about 95K before the update to about 14K now. Is there some kind of new limit or some setting I need to configure?

| eval dest_content_size=len(dest_content) | stats avg(dest_content_size) as avg_size max(dest_content_size) as max_size

stream 6.1.0:

avg_size        max_size
13762.567416    95007

stream 6.2.2:

avg_size        max_size
4971.677987  14235
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎06-17-2015 10:28 AM

In 6.2 we added a cap for field size to limit the risk of unbounded memory growth. This field is MaxFieldSize, but unfortunately it didn't make it the docs.

http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/ConfigureStreamForwarder#Config...

That docs page covers how to configure streamfwd.xml, and if you add a MaxFieldSize parameter you can up the limit to something larger if you're concerned about RAM growth or if not you can set the value to 0 for unlimited.

View solution in original post

Reply
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎06-17-2015 10:28 AM

In 6.2 we added a cap for field size to limit the risk of unbounded memory growth. This field is MaxFieldSize, but unfortunately it didn't make it the docs.

http://docs.splunk.com/Documentation/StreamApp/6.2.2/DeployStreamApp/ConfigureStreamForwarder#Config...

That docs page covers how to configure streamfwd.xml, and if you add a MaxFieldSize parameter you can up the limit to something larger if you're concerned about RAM growth or if not you can set the value to 0 for unlimited.

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...