Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I get more than 10,000 lines into a single event?

payal23
Path Finder
‎04-10-2018 04:54 AM

I want more than 10,000 lines to merge and show in a single event.

[tally_nightly_prd]
SHOULD_LINEMERGE=true
NO_BINARY_CHECK=true
CHARSET=UTF-8
TRUNCATE=0
disabled=false
BREAK_ONLY_BEFORE=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
MAX_EVENTS=90000
TIME_FORMAT=%+
TIME_PREFIX=\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
0 Karma
Reply

jinseong
Path Finder
‎04-16-2020 11:46 PM

hello

open the limits.conf and configration maxchars=10240

0 Karma
Reply

somesoni2
Revered Legend
‎04-10-2018 11:47 AM

Just want to make sure you're aware that having that many line in a single event will not give you a pleasant Splunk UI experience when viewing the same. Assuming you still want to do it, give this a try

 [tally_nightly_prd]
 SHOULD_LINEMERGE=false
 LINE_BREAKER = ([\r\n]+)(?=(\*){12}\snightlyProcess\sStarted)
 TRUNCATE=0
 MAX_EVENTS=90000
 TIME_FORMAT=%+
 TIME_PREFIX=^\*\*\*\*\*\*\*\*\*\*\*\*\snightlyProcess\sStarted
0 Karma
Reply

payal23
Path Finder
‎04-15-2018 06:12 PM

Thanks...Yes, logs are having big xml payload and hence merging in an event will make sense.

I tried the above but now the lines are breaking in single line.

😞

0 Karma
Reply

manishankark04
New Member
‎04-16-2020 01:03 PM

you can increase the truncate parameter to 40k or 50k.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-10-2018 05:24 AM

And what exactly is your question? Is your current config not working as expected? If so: what is the expected outcome and what outcome are you now getting?

Also a bit more context around the data you're ingesting and what you are trying to achieve would probably help 🙂

0 Karma
Reply

payal23
Path Finder
‎04-10-2018 06:01 AM

In between my file start and end points there are number of lines in between which is more than 10,000 and i want all the lines to come under one event. But the breaking is not happening in that way. In mid it is breaking anywhere.

0 Karma
Reply

FrankVl
Ultra Champion
‎04-10-2018 06:32 AM

And how are you collecting this data? With a HF or a UF and how/where is it then forwarded?

0 Karma
Reply

payal23
Path Finder
‎04-11-2018 12:21 AM

We are collecting from UF

0 Karma
Reply

FrankVl
Ultra Champion
‎04-11-2018 12:42 AM

And is that UF sending to a single indexer/HF or to a load balanced pool of destinations (e.g. indexer cluster, multiple intermediate forwarders...)?

0 Karma
Reply

payal23
Path Finder
‎04-15-2018 06:12 PM

Sending to indexer cluster

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...