On the forwarder's splunkd.log, we keep getting the following warning -
09-29-2017 02:11:46.400 -0500 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11636 - data_source="tcp:9080" ...
How can we fix it?
from the similar posts -
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this (add it specifically for the tcp:9080):
[ tcp:9080]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 0
the setting you are looking for, see props.conf.spec:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
#******************************************************************************
# Line breaking
#******************************************************************************
# Use the following attributes to define the length of a line.
TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
from the similar posts -
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this (add it specifically for the tcp:9080):
[ tcp:9080]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 0
the setting you are looking for, see props.conf.spec:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
#******************************************************************************
# Line breaking
#******************************************************************************
# Use the following attributes to define the length of a line.
TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
Gorgeous !!
do you do this on the indexer or search head? is the data truncated or is the display of the data truncated?