Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Few logs are getting truncated

splunklearner
Communicator
‎06-05-2025 12:31 AM

Few event logs are getting truncated while others are getting perfectly. We are using akamai add-on to pull logs to Splunk.

HF (akamai input configured) ---> sent to indexers

in DS all apps will be there (where all props and transforms) which will be pushed to CM and from CM will be pushing to individual indexers.

props.conf in DS (Ds --> CM --> IND)

[sony_waf] 
TIME_PREFIX = ^
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_FORMAT = %b %d %H:%M:%S
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK = true
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = False
TRUNCATE = 50000
 
Few logs are getting perfectly. what to do now? Please suggest.
Labels (4)
0 Karma
Reply

splunklearner
Communicator
‎06-05-2025 12:42 AM

when I checked more in depth logs, I see perfect logs have less than 10000 lines where the logs which are truncating have 10001 lines. But I set truncated value to 50000 why this is not applying? 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-05-2025 12:37 AM

Hi @splunklearner 

You mention that the props/transforms are pushed to your Indexers, but is it also installed on the HF pulling the Akamai logs? Can you validate that the relevant props/transforms with the TRUNCATE set to a higher-than-longest-event value are installed on the HF?

$SPLUNK_HOME/bin/splunk btool props list sony_waf --debug

If you run this on your HF you should see your TRUNCATE value to the expected high value.

What length are your logs being truncated to?

Your approach of using DS->CM->IDX is interesting...but I dont think this is the problem here if the Akamai logs are being pulled by a HF - Ultimately we need to ensure the HF has the props!

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...