Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Few logs are getting truncated

splunklearner
Communicator
‎06-05-2025 12:31 AM

Few event logs are getting truncated while others are getting perfectly. We are using akamai add-on to pull logs to Splunk.

HF (akamai input configured) ---> sent to indexers

in DS all apps will be there (where all props and transforms) which will be pushed to CM and from CM will be pushing to individual indexers.

props.conf in DS (Ds --> CM --> IND)

[sony_waf] 
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK = true
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = False
TRUNCATE = 50000
 
Few logs are getting perfectly. what to do now? Please suggest.
Labels (4)
0 Karma
Reply

splunklearner
Communicator
‎06-05-2025 12:42 AM

when I checked more in depth logs, I see perfect logs have less than 10000 lines where the logs which are truncating have 10001 lines. But I set truncated value to 50000 why this is not applying? 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-05-2025 12:37 AM

Hi @splunklearner 

You mention that the props/transforms are pushed to your Indexers, but is it also installed on the HF pulling the Akamai logs? Can you validate that the relevant props/transforms with the TRUNCATE set to a higher-than-longest-event value are installed on the HF?

$SPLUNK_HOME/bin/splunk btool props list sony_waf --debug

If you run this on your HF you should see your TRUNCATE value to the expected high value.

What length are your logs being truncated to?

Your approach of using DS->CM->IDX is interesting...but I dont think this is the problem here if the Akamai logs are being pulled by a HF - Ultimately we need to ensure the HF has the props!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...