Archive

MAX_EVENTS setting on indexer not working

Path Finder

Hi,

We have a cluster setup - where we have
1. Heavy Forwarders
2. Indexer servers and an indexer master
3. Search heads and master

I have a MAXEVENTS configuration need for log4j source type and I made a change in indexer master $SPLUNKHOME/etc/master-apps/my-app-props/props.conf and pushed the change to to the indexers in the cluster. I see the configuration effective in the indexer servers (ran $SPLUNK_HOME/bin/splunk cmd btool props list log4j) as I see the below output.

Still, my events are breaking at 257 lines of the event. I have at least 3 sourcetypes - for which I need to make props.conf changes. Where should these changes go? Heavy Forwarder or Indexer master/slaves?

[log4j]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
detect_trailing_nulls = false
maxDist = 75
priority =
pulldown_type = true
sourcetype =
0 Karma
1 Solution

Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

View solution in original post

0 Karma

Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

If you've heavy forwarders (full splunk instance acting as intermediate/regular forwarder), then the event processing happens on heavy forwarder, not indexer. Keep all those props.conf on Heavy forwarders.