Deployment Architecture

MAX_EVENTS setting on indexer not working

mudragada
Path Finder

Hi,

We have a cluster setup - where we have
1. Heavy Forwarders
2. Indexer servers and an indexer master
3. Search heads and master

I have a MAX_EVENTS configuration need for log4j source type and I made a change in indexer master $SPLUNK_HOME/etc/master-apps/my-app-props/props.conf and pushed the change to to the indexers in the cluster. I see the configuration effective in the indexer servers (ran $SPLUNK_HOME/bin/splunk cmd btool props list log4j) as I see the below output.

Still, my events are breaking at 257 lines of the event. I have at least 3 sourcetypes - for which I need to make props.conf changes. Where should these changes go? Heavy Forwarder or Indexer master/slaves?

[log4j]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
detect_trailing_nulls = false
maxDist = 75
priority =
pulldown_type = true
sourcetype =
0 Karma
1 Solution

mudragada
Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

View solution in original post

0 Karma

mudragada
Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you've heavy forwarders (full splunk instance acting as intermediate/regular forwarder), then the event processing happens on heavy forwarder, not indexer. Keep all those props.conf on Heavy forwarders.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...