Deployment Architecture

Data truncated to 100kb only

mufthmu
Path Finder

I have edited the props.conf file of the indexer and UF to the following:

[sourcetype]
TRUNCATE=0
MAX_EVENTS=10000

but nothing works.
According to this thread https://answers.splunk.com/answers/155691/why-are-larger-events-are-truncated-10000-bytes.html ,
There is heavy forwarder involved. How do I know if my data flows thru a heavy forwarder before it reaches the indexer?
I have researched on this for ~4hours and still no luck
thanks!

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mufthmu
Path Finder

I figured out the issue. I just simply needed to restart the forwarder and the indexer from the bin.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.

mufthmu
Path Finder

Thanks @richgalloway , This actually answered the question.
There is no HF involved in the data flow. However, Splunk still does not respond to the props.conf file that I updated both in Indexer AND the UF itself.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...