Getting Data In

Data input limit on preview window

kastnern
Engager

I've been working on some sample logs with the Web UI to adjust timestamps and where the events break, so I can create a clean props.conf before putting the logs in splunk. The data logs have quite a bit of data per event, but we went ahead and made changes with the TRUNCATE = 0 and MAX_EVENTS = 10000 to account for this. With these in place, the preview window still cuts off data in the events. The only reason I can think of is that the preview area has a limit on the amount of data that can be previewed. Does anyone happen to know if there is a data limit in the web ui preview window? I can't think of any other reason why our data is being cut off. Thanks!

0 Karma

somesoni2
Revered Legend

Yes, by default the preview screen shows data worth 2MB. This is configured in limits.conf in $SPLUNKHOME/etc/system/default/ (or $SPLUNKHOME/etc/system/local/, local takes precedence)

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

UPDATE

Well I have other entries for indexpreview and it looks like 'soft_preview_queue_size' is your guy.

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Defaults to 2500

soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Defaults to 100

somesoni2
Revered Legend

I updated the answer

0 Karma

kastnern
Engager

Thank you for your response, the file size is actually below 1.5 MB, so that wouldn't cause an issue. It looks like the Splunk preview UI is only allowing 100 lines per event as a max regardless of what settings have been changed. Is that a setting that can be changed?? Or is that a parameter of the preview window and I'll have to wait and see what it looks like when I pull it in??

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...