Getting Data In

Data input limit on preview window

kastnern
Engager

I've been working on some sample logs with the Web UI to adjust timestamps and where the events break, so I can create a clean props.conf before putting the logs in splunk. The data logs have quite a bit of data per event, but we went ahead and made changes with the TRUNCATE = 0 and MAX_EVENTS = 10000 to account for this. With these in place, the preview window still cuts off data in the events. The only reason I can think of is that the preview area has a limit on the amount of data that can be previewed. Does anyone happen to know if there is a data limit in the web ui preview window? I can't think of any other reason why our data is being cut off. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes, by default the preview screen shows data worth 2MB. This is configured in limits.conf in $SPLUNKHOME/etc/system/default/ (or $SPLUNKHOME/etc/system/local/, local takes precedence)

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

UPDATE

Well I have other entries for indexpreview and it looks like 'soft_preview_queue_size' is your guy.

[indexpreview]
max_preview_bytes = <integer>
* Maximum number of bytes to read from each file during preview
* Defaults to 2000000 (2 MB)

max_results_perchunk = <integer>
* Maximum number of results to emit per call to preview data generator
* Defaults to 2500

soft_preview_queue_size = <integer>
* Loosely-applied maximum on number of preview data objects held in memory
* Defaults to 100

somesoni2
SplunkTrust
SplunkTrust

I updated the answer

0 Karma

kastnern
Engager

Thank you for your response, the file size is actually below 1.5 MB, so that wouldn't cause an issue. It looks like the Splunk preview UI is only allowing 100 lines per event as a max regardless of what settings have been changed. Is that a setting that can be changed?? Or is that a parameter of the preview window and I'll have to wait and see what it looks like when I pull it in??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...