Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

logs not complete

jadengoho
Builder
‎08-12-2018 09:06 PM

Hi ,
I am having trouble right now on why does the splunk log is not complete/cut , in the past few months logs are coming consistently complete.
but now it is cut shows only the header and no information.
alt text

it came from a server that monitor the logs,
Can somebody tell me why this happens ?
what to investigate ?
Also what is the solution for this problem?

-thanks in advance

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-27-2018 06:13 PM

Thanks all for the help, adding props.conf helps the data to be completed,
Still not sure on why does the logs have been cut, but thank's it's working now.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-14-2018 04:51 PM

1) here is my configuratoin file :
Inputs:
[monitor:///var/log/backup]
disabled = 0
sourcetype = backup:mtx

there are no props and transforms set on the whole process.
Server(log)-universal forwarder > indexer > search head

2)Are the logs getting truncated by any chance?
- The logs are being cut off in that specific part,
there are chances that it would gave as a whole, but most of the time it is missing parts after the
"============Backup Summary============"
45% of the log it sent are being cut.
Still can't figure this out.

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-20-2018 08:07 AM

Does your data contain timestamps? I don't see any in your sample logs above, but I'm curious is there are timestamps in the missing portions of the data.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-17-2018 09:57 AM

I was under the impression that the logs are getting truncated after 10,000 character limit. But clearly thats not the case. Did you get a chance to look at the splunkd logs and see if you have any errors highlighted?

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-12-2018 11:44 PM

I would need to see your inputs.conf, props.conf, and transforms.conf for your particular input, but my first guess would be to investigate your settings in props.conf for your sourcetype.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-14-2018 03:51 PM

Are the logs getting truncated by any chance?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...