Deployment Architecture

MAX_EVENTS setting on indexer not working

mudragada
Path Finder

Hi,

We have a cluster setup - where we have
1. Heavy Forwarders
2. Indexer servers and an indexer master
3. Search heads and master

I have a MAX_EVENTS configuration need for log4j source type and I made a change in indexer master $SPLUNK_HOME/etc/master-apps/my-app-props/props.conf and pushed the change to to the indexers in the cluster. I see the configuration effective in the indexer servers (ran $SPLUNK_HOME/bin/splunk cmd btool props list log4j) as I see the below output.

Still, my events are breaking at 257 lines of the event. I have at least 3 sourcetypes - for which I need to make props.conf changes. Where should these changes go? Heavy Forwarder or Indexer master/slaves?

[log4j]
ANNOTATE_PUNCT = True
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE = \d\d?:\d\d:\d\d
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 10000
MAX_TIMESTAMP_LOOKAHEAD = 128
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
category = Application
description = Output produced by any Java 2 Enterprise Edition (J2EE) application server using log4j
detect_trailing_nulls = false
maxDist = 75
priority =
pulldown_type = true
sourcetype =
0 Karma
1 Solution

mudragada
Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

View solution in original post

0 Karma

mudragada
Path Finder

Found the answer with the help of @somesoni2. The configuration worked when i created an app under the apps directory on the heavy forwarder.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you've heavy forwarders (full splunk instance acting as intermediate/regular forwarder), then the event processing happens on heavy forwarder, not indexer. Keep all those props.conf on Heavy forwarders.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...