Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data truncated to 100kb only

mufthmu
Path Finder
‎12-12-2019 03:45 PM

I have edited the props.conf file of the indexer and UF to the following:

[sourcetype]
TRUNCATE=0
MAX_EVENTS=10000

but nothing works.
According to this thread https://answers.splunk.com/answers/155691/why-are-larger-events-are-truncated-10000-bytes.html ,
There is heavy forwarder involved. How do I know if my data flows thru a heavy forwarder before it reaches the indexer?
I have researched on this for ~4hours and still no luck
thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2019 06:13 PM

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

mufthmu
Path Finder
‎12-13-2019 03:52 PM

I figured out the issue. I just simply needed to restart the forwarder and the indexer from the bin.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-12-2019 06:13 PM

To find out if the HF is involved, 1) check the outputs.conf on the UF to see if output goes to the HF; 2) check inputs.conf on the HF to see if the sourcetype in question is reference.

Belt-and-suspenders approach: put the props.conf on the HF anyway. It won't hurt.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

mufthmu
Path Finder
‎12-13-2019 11:12 AM

Thanks @richgalloway , This actually answered the question.
There is no HF involved in the data flow. However, Splunk still does not respond to the props.conf file that I updated both in Indexer AND the UF itself.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...