Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does TRUNCATE specify the ultimate size of an event?

danielbb
Motivator
‎02-19-2020 09:06 AM

We are not clear whether setting TRUNCATE to a certain value guarantees that the event won't exceed this size in bytes. If not, can we specify the maximum length of an event somewhere?

Tags (2)
0 Karma
Reply

manjunathmeti
Champion
‎02-19-2020 09:18 AM

Splunk truncates events in bytes, from Splunk documentation on props.conf:

TRUNCATE = <non-negative integer>
* The default maximum line length, in bytes.
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often
  a sign of garbage data).
* Default: 10000
Reply

danielbb
Motivator
‎02-19-2020 10:22 AM

Ok, according to this documentation, TRUNCATE specifies the length of a line. Then we can merge lines, right? I wonder if or where we can specify the max length of an event?

Beacuae I run -

index=<index name>
| eval len = len(_raw)
| stats max(len)

And it returns 3,461,805. I would like to have a concrete limit for the length of an event.

0 Karma
Reply

manjunathmeti
Champion
‎02-19-2020 10:54 AM

You can try applying regex to truncate the _raw field. Below regex gets first 3000 characters.

props.conf:

[sourcetype]
TRUNCATE = 10000
TRANSFORMS-truncate_raw = truncate_raw

transforms.conf

[truncate_raw]
SOURCE_KEY  = _raw
REGEX = ^.{0,3000}
DEST_KEY = _raw
FORMAT = $1
Reply

danielbb
Motivator
‎02-20-2020 11:24 AM

Nice @manjunathmeti - are there any combinations where TRUNCATE does specify the length of the event?

0 Karma
Reply

danielbb
Motivator
‎02-27-2020 09:36 AM

We are fine with TRUNCATE for the max line's length and MAX_EVENTS for max number of lines.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...