Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you increase maximum UDP log size?

abori
Engager
‎01-31-2013 04:40 PM

We are experiencing a complete loss of the log message if it's over approx. 1400 characters. The message doesn't show up in search results for that given endpoint.

I've tried the suggestions here and here. Neither of them worked for me.

We are using log4net with the following configuration:

  <log4net>
    <appender name="SplunkAppender" type="log4net.Appender.UdpAppender">
      <remoteAddress value="splunk.myserver.com" />
      <remotePort value="2221" />
      <layout type="log4net.Layout.PatternLayout">
        <ConversionPattern value="%utcdate log_level=%level url=%property{URL} referrer=%property{HttpReferer} agent=%property{UserAgent} %n desc=&quot;%message&quot;" />
      </layout>
    </appender>
    <root>
      <level value="INFO" />
      <appender-ref ref="SplunkAppender" />
    </root>
  </log4net>
Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2013 05:49 PM

It's mostly like a problem with either the log4net UdpAppender, or with your network.

A UDP syslog message by protocol definition can not be over 1024 bytes, though this is often ignored. However, is physically must fit into a single UDP packet. A UDP packet can be over 1400 bytes, but this number is suspiciously close to the Ethernet MTU of 1500 bytes, minus overhead. Probably something in either your software, stack, or network is disallowing the transmission of UDP packets larger than the Ethernet MTU, or something is failing to fragment the UDP packet to fit into the MTU. This is a pretty low-level problem that you'd probably have to talk to network admins about.

You can test first simply using "ping -s" using varying packet sizes to see if you can ping with more than 1500 bytes. (You probably can't.) You can also ascertain whether it's a Splunk problem by using nc or ncat on the Splunk server and sending your UDP messages to that program, and seeing if they arrive.

Reply

abori
Engager
‎01-31-2013 09:36 PM

After running wireshark on the client and server, we found that the messages were being truncated to fit in one UDP packet (max 1452 bytes). Even though the server was receiving the truncated message, it was not showing up in the Splunk logs. We don't mind truncated messages. We mind dropped messages. Any ideas?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...