Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you increase maximum UDP log size?

abori
Engager
‎01-31-2013 04:40 PM

We are experiencing a complete loss of the log message if it's over approx. 1400 characters. The message doesn't show up in search results for that given endpoint.

I've tried the suggestions here and here. Neither of them worked for me.

We are using log4net with the following configuration:

  <log4net>
    <appender name="SplunkAppender" type="log4net.Appender.UdpAppender">
      <remoteAddress value="splunk.myserver.com" />
      <remotePort value="2221" />
      <layout type="log4net.Layout.PatternLayout">
        <ConversionPattern value="%utcdate log_level=%level url=%property{URL} referrer=%property{HttpReferer} agent=%property{UserAgent} %n desc=&quot;%message&quot;" />
      </layout>
    </appender>
    <root>
      <level value="INFO" />
      <appender-ref ref="SplunkAppender" />
    </root>
  </log4net>
Tags (2)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎01-31-2013 05:49 PM

It's mostly like a problem with either the log4net UdpAppender, or with your network.

A UDP syslog message by protocol definition can not be over 1024 bytes, though this is often ignored. However, is physically must fit into a single UDP packet. A UDP packet can be over 1400 bytes, but this number is suspiciously close to the Ethernet MTU of 1500 bytes, minus overhead. Probably something in either your software, stack, or network is disallowing the transmission of UDP packets larger than the Ethernet MTU, or something is failing to fragment the UDP packet to fit into the MTU. This is a pretty low-level problem that you'd probably have to talk to network admins about.

You can test first simply using "ping -s" using varying packet sizes to see if you can ping with more than 1500 bytes. (You probably can't.) You can also ascertain whether it's a Splunk problem by using nc or ncat on the Splunk server and sending your UDP messages to that program, and seeing if they arrive.

Reply

abori
Engager
‎01-31-2013 09:36 PM

After running wireshark on the client and server, we found that the messages were being truncated to fit in one UDP packet (max 1452 bytes). Even though the server was receiving the truncated message, it was not showing up in the Splunk logs. We don't mind truncated messages. We mind dropped messages. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...