Solved: Data truncated to 100kb only

mufthmu · ‎12-12-2019

I have edited the props.conf file of the indexer and UF to the following:

[sourcetype]
TRUNCATE=0
MAX_EVENTS=10000

but nothing works.
According to this thread https://answers.splunk.com/answers/155691/why-are-larger-events-are-truncated-10000-bytes.html ,
There is heavy forwarder involved. How do I know if my data flows thru a heavy forwarder before it reaches the indexer?
I have researched on this for ~4hours and still no luck
thanks!

richgalloway · ‎12-12-2019

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

mufthmu · ‎12-13-2019

I figured out the issue. I just simply needed to restart the forwarder and the indexer from the bin.

richgalloway · ‎12-12-2019

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.

mufthmu · ‎12-13-2019

Thanks @richgalloway , This actually answered the question.
There is no HF involved in the data flow. However, Splunk still does not respond to the props.conf file that I updated both in Indexer AND the UF itself.

Data truncated to 100kb only

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector