Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Few logs are getting truncated

splunklearner
Communicator
a week ago

Few event logs are getting truncated while others are getting perfectly. We are using akamai add-on to pull logs to Splunk.

HF (akamai input configured) ---> sent to indexers

in DS all apps will be there (where all props and transforms) which will be pushed to CM and from CM will be pushing to individual indexers.

props.conf in DS (Ds --> CM --> IND)

[sony_waf] 
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK = true
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = False
TRUNCATE = 50000
 
Few logs are getting perfectly. what to do now? Please suggest.
Labels (4)
0 Karma
Reply

splunklearner
Communicator
a week ago

when I checked more in depth logs, I see perfect logs have less than 10000 lines where the logs which are truncating have 10001 lines. But I set truncated value to 50000 why this is not applying? 

0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @splunklearner 

You mention that the props/transforms are pushed to your Indexers, but is it also installed on the HF pulling the Akamai logs? Can you validate that the relevant props/transforms with the TRUNCATE set to a higher-than-longest-event value are installed on the HF?

$SPLUNK_HOME/bin/splunk btool props list sony_waf --debug

If you run this on your HF you should see your TRUNCATE value to the expected high value.

What length are your logs being truncated to?

Your approach of using DS->CM->IDX is interesting...but I dont think this is the problem here if the Akamai logs are being pulled by a HF - Ultimately we need to ensure the HF has the props!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...