- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Data input limit on preview window
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Data input limit on preview window
I've been working on some sample logs with the Web UI to adjust timestamps and where the events break, so I can create a clean props.conf before putting the logs in splunk. The data logs have quite a bit of data per event, but we went ahead and made changes with the TRUNCATE = 0 and MAX_EVENTS = 10000 to account for this. With these in place, the preview window still cuts off data in the events. The only reason I can think of is that the preview area has a limit on the amount of data that can be previewed. Does anyone happen to know if there is a data limit in the web ui preview window? I can't think of any other reason why our data is being cut off. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, by default the preview screen shows data worth 2MB. This is configured in limits.conf in $SPLUNKHOME/etc/system/default/ (or $SPLUNKHOME/etc/system/local/, local takes precedence)
[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)
UPDATE
Well I have other entries for indexpreview and it looks like 'soft_preview_queue_size' is your guy.
[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)
max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Defaults to 2500
soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Defaults to 100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response, the file size is actually below 1.5 MB, so that wouldn't cause an issue. It looks like the Splunk preview UI is only allowing 100 lines per event as a max regardless of what settings have been changed. Is that a setting that can be changed?? Or is that a parameter of the preview window and I'll have to wait and see what it looks like when I pull it in??
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
