I have edited the props.conf file of the indexer and UF to the following:
[sourcetype]
TRUNCATE=0
MAX_EVENTS=10000
but nothing works.
According to this thread https://answers.splunk.com/answers/155691/why-are-larger-events-are-truncated-10000-bytes.html ,
There is heavy forwarder involved. How do I know if my data flows thru a heavy forwarder before it reaches the indexer?
I have researched on this for ~4hours and still no luck
thanks!
To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.
Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.
I figured out the issue. I just simply needed to restart the forwarder and the indexer from the bin.
To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.
Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.
Thanks @richgalloway , This actually answered the question.
There is no HF involved in the data flow. However, Splunk still does not respond to the props.conf file that I updated both in Indexer AND the UF itself.