Deployment Architecture

Why are our logs being truncated to 10,000 characters?

davidmills
Explorer

I have set...

[default]
TRUNCATE = 20000

...in $SPLUNK_HOME/etc/system/local/props.conf for our search heads (a cluster of 3), indexers (a cluster of 3) and Heavy forwarder. I have restarted all the search heads and indexers to pick up the change, but we are still getting just as many records where "meta::truncated" is getting set and the log entry is just 10,000 characters. This then plays havoc with our attempts with downstream searches to parse out JSON values using spath. Some of the information we need is just not present.

Do I need to restart the Heavy Forwarder? Is it where the truncation is occurring? Are there any data loss implications of stopping the single Heavy Forwarder?

Thanks,

David.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The truncation is happening on the heavy forwarder. Restart it to apply the props.conf setting and all should be OK.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The truncation is happening on the heavy forwarder. Restart it to apply the props.conf setting and all should be OK.

---
If this reply helps you, Karma would be appreciated.
0 Karma

davidmills
Explorer

That worked - thanks.

0 Karma

inventsekar
Ultra Champion

this will be done in test or dev or prod?!?!

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...