Getting Data In

Data input limit on preview window

kastnern
Engager

I've been working on some sample logs with the Web UI to adjust timestamps and where the events break, so I can create a clean props.conf before putting the logs in splunk. The data logs have quite a bit of data per event, but we went ahead and made changes with the TRUNCATE = 0 and MAX_EVENTS = 10000 to account for this. With these in place, the preview window still cuts off data in the events. The only reason I can think of is that the preview area has a limit on the amount of data that can be previewed. Does anyone happen to know if there is a data limit in the web ui preview window? I can't think of any other reason why our data is being cut off. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, by default the preview screen shows data worth 2MB. This is configured in limits.conf in $SPLUNKHOME/etc/system/default/ (or $SPLUNKHOME/etc/system/local/, local takes precedence)

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

UPDATE

Well I have other entries for indexpreview and it looks like 'soft_preview_queue_size' is your guy.

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Defaults to 2500

soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Defaults to 100

somesoni2
SplunkTrust
SplunkTrust

I updated the answer

0 Karma

kastnern
Engager

Thank you for your response, the file size is actually below 1.5 MB, so that wouldn't cause an issue. It looks like the Splunk preview UI is only allowing 100 lines per event as a max regardless of what settings have been changed. Is that a setting that can be changed?? Or is that a parameter of the preview window and I'll have to wait and see what it looks like when I pull it in??

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...