Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

logs not complete

jadengoho
Builder
‎08-12-2018 09:06 PM

Hi ,
I am having trouble right now on why does the splunk log is not complete/cut , in the past few months logs are coming consistently complete.
but now it is cut shows only the header and no information.
alt text

it came from a server that monitor the logs,
Can somebody tell me why this happens ?
what to investigate ?
Also what is the solution for this problem?

-thanks in advance

Tags (1)
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-27-2018 06:13 PM

Thanks all for the help, adding props.conf helps the data to be completed,
Still not sure on why does the logs have been cut, but thank's it's working now.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-14-2018 04:51 PM

1) here is my configuratoin file :
Inputs:
[monitor:///var/log/backup]
disabled = 0
sourcetype = backup:mtx

there are no props and transforms set on the whole process.
Server(log)-universal forwarder > indexer > search head

2)Are the logs getting truncated by any chance?
- The logs are being cut off in that specific part,
there are chances that it would gave as a whole, but most of the time it is missing parts after the
"============Backup Summary============"
45% of the log it sent are being cut.
Still can't figure this out.

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-20-2018 08:07 AM

Does your data contain timestamps? I don't see any in your sample logs above, but I'm curious is there are timestamps in the missing portions of the data.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-17-2018 09:57 AM

I was under the impression that the logs are getting truncated after 10,000 character limit. But clearly thats not the case. Did you get a chance to look at the splunkd logs and see if you have any errors highlighted?

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-12-2018 11:44 PM

I would need to see your inputs.conf, props.conf, and transforms.conf for your particular input, but my first guess would be to investigate your settings in props.conf for your sourcetype.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-14-2018 03:51 PM

Are the logs getting truncated by any chance?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...