Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Break single line of data.

BB2
Explorer
‎10-18-2024 01:17 PM

I have a question about breaking up a single line of data to send to the Splunk Indexer. 

We sending data which can have over 50,000 characters on a single line.  I would like to know if there is a way to break up the data on the source server with the universal forwarder before sending it to the indexer and then reassemble it after it arrives at the indexer.  

We would like to know if this is possible rather than having to increase the Truncate size on the indexer to take all the data at once.  

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BB2
Explorer
‎10-21-2024 09:33 AM

Thanks for all the info.

We are going to go with increasing the truncate on the index server.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BB2
Explorer
‎10-21-2024 09:33 AM

Thanks for all the info.

We are going to go with increasing the truncate on the index server.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-19-2024 02:15 PM

It's a bit more complicated than that. Data is not sent from UF as events (unless you're using indexed extractions), it's getting sent as chunks (which can cause issues if you have big events and don't have event breaker configured properly).

And it's actually the other way around - you want to have event breaker (not line breaker! since no line breaking happens on UF) set so that events are _not_ split between two different chunks. The cause for it is that two chunks of data can go to different outputs from the same group and end up on two different indexers.

So even if there was a way to reassemble an event you wouldn't have anything to reassemble it from.

Long story short - you want to make sure your events are _not_ getting split.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-19-2024 02:17 AM

Hi @BB2 ,

only one question: why?

if the issue is the limit of 50,000 chars, you can only increase the TRUNCATE limit.

There's no utility (even if it's possible but not!) to trucate an event on forwarders and then reassemble it  on Indexers because events are compressed and stored in packets and sent from Forwarders to Indexers with no relation with the lenght of the event.

So I ask you again why?

the only action that you must do is increasing the lenght of the events aging on the TRUNCATE parameters.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-18-2024 02:09 PM

You can apply EVENT BREAKER  settings on your props.conf. 

  • Go to your app/local directory on your Deployment server.
  • Create or edit props.conf file. 
  • Update the EVENT_BREAKER with the appropriate regex pattern for your source. Typically, this is the same as your LINE_BREAKER regex.
  • Reload the serverclass app on the Deployment server.
  • Verify that the updated props.conf is successfully deployed to the Universal Forwarder.
  • That should complete the setup.

 

 

Refer: https://community.splunk.com/t5/Getting-Data-In/How-to-apply-EVENT-BREAKER-on-UF-for-better-data-dis...


Hope this helps.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...