Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get more than 10,000 lines into a single event?

payal23
Path Finder
‎04-10-2018 04:54 AM

I want more than 10,000 lines to merge and show in a single event.

[tally_nightly_prd]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
TRUNCATE=0
disabled=false
BREAK_ONLY_BEFORE=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
MAX_EVENTS=90000
TIME_FORMAT=%+
TIME_PREFIX=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
0 Karma
Reply

jinseong
Path Finder
‎04-16-2020 11:46 PM

hello

open the limits.conf and configration maxchars=10240

0 Karma
Reply

somesoni2
Revered Legend
‎04-10-2018 11:47 AM

Just want to make sure you're aware that having that many line in a single event will not give you a pleasant Splunk UI experience when viewing the same. Assuming you still want to do it, give this a try

 [tally_nightly_prd]
 SHOULD_LINEMERGE=false
 LINE_BREAKER = ([\r\n]+)(?=(\*){12}\snightlyProcess\sStarted)
 TRUNCATE=0
 MAX_EVENTS=90000
 TIME_FORMAT=%+
 TIME_PREFIX=^\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
0 Karma
Reply

payal23
Path Finder
‎04-15-2018 06:12 PM

Thanks...Yes, logs are having big xml payload and hence merging in an event will make sense.

I tried the above but now the lines are breaking in single line.

😞

0 Karma
Reply

manishankark04
New Member
‎04-16-2020 01:03 PM

you can increase the truncate parameter to 40k or 50k.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-10-2018 05:24 AM

And what exactly is your question? Is your current config not working as expected? If so: what is the expected outcome and what outcome are you now getting?

Also a bit more context around the data you're ingesting and what you are trying to achieve would probably help 🙂

0 Karma
Reply

payal23
Path Finder
‎04-10-2018 06:01 AM

In between my file start and end points there are number of lines in between which is more than 10,000 and i want all the lines to come under one event. But the breaking is not happening in that way. In mid it is breaking anywhere.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-10-2018 06:32 AM

And how are you collecting this data? With a HF or a UF and how/where is it then forwarded?

0 Karma
Reply

payal23
Path Finder
‎04-11-2018 12:21 AM

We are collecting from UF

0 Karma
Reply

FrankVl
Ultra Champion
‎04-11-2018 12:42 AM

And is that UF sending to a single indexer/HF or to a load balanced pool of destinations (e.g. indexer cluster, multiple intermediate forwarders...)?

0 Karma
Reply

payal23
Path Finder
‎04-15-2018 06:12 PM

Sending to indexer cluster

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...