Getting Data In

Do I need to create a transforms.conf file in addition to props.conf to disable truncate for a specific sourcetype?

briandickinson
New Member

I have created a props.conf file to allow for logging an event of 16,000 characters. If I am reading the documentation correctly I can tie it to a specific source type and add it to the application I have deployed.

So, I added this props file to my app:

Increase the default line length

sourcetype = bluestripe
TRUNCATE = 0

But the line break is still happening. Do, I need to create a transforms.conf file to go with this that has a stanza name that I replicate in the props file for it to work? Or am I doing something else wrong?

0 Karma

bmacias84
Champion

hello,

their are two settings in props.conf one for truncation and event breaking. TRUNCATE applies to maximum line length of a line in bytes and the other is MAX_EVENTS which specifies the maximum number of input lines to add to any event. If you event is over 16,000 chars long and multi line you will have to set both. By default MAX_EVENTS breaks an event after 256.

Modifying these setting may cause performance issues.


[bluestripe]
TRUNCATE = 0
MAX_EVENTS = 1000

strive
Influencer

Can you post the proper snippet of your props.conf file

0 Karma

strive
Influencer

It Should be like this in props.conf

[bluestripe]
TRUNCATE = 0
0 Karma

strive
Influencer

transforms.conf is not needed

0 Karma

briandickinson
New Member

No transforms.conf needed?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...