Getting Data In

How to change the the truncating limit in the props.conf file for a scripted input?

rfc360
New Member

I have in the input.conf as an example a scripted input on the server where the Splunk Universal Forwarder is installed

[script://.\bin\LongRunningQueriesRpt.path]
interval=*/1 * * * 1-5
disabled = 0
sourcetype = csv
send_index_as_argument_for_path = 0

In the input file is the execution of the Powershell Script.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "$SPLUNK_HOME\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"

It runs fine but in the splunkd.log file I am seeing line Breaking Processor warning messages as noted below.

WARN  LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length
 >= 50869 - data_source="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"", data_host="host_name", data_sourcetype="csv"

I understand I have to update the props.conf file on the indexer as that is where the parsing happens. But I am not sure what to use, as the examples I've seen have been for log files. So, I am not sure what I should put in the source section to eliminate the messages. I only want/need to do this for this particular script. Any ideas I can try?

[Source::?]
TRUNCATE = 0 

The above is what I want to use but Just not sure what to put into the source. Thanks in advance for any help anyone can provide.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

[source::...LongRunningQueriesRpt.path]
TRUNCATE = 0

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

[source::...LongRunningQueriesRpt.path]
TRUNCATE = 0
0 Karma

rfc360
New Member

I'm accepting somesoni2 answer regarding using a custom sourcetype. After working with the splunk admin that fix the truncation errors. Thanks.

0 Karma

rfc360
New Member

I put this update in the props.conf on the indexer server and restarted the service and it warning messages are still coming in. So, should it go on the forwarder server instead? I put exactly what you had in the example. Should I remove the ... and put the actual windows path?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try with full path.

I would create a new sourcetype (instead of using default csv sourcetype) in this case. I would define my custom sourcetype on Indexer and would include the TRUNCATE setting in it and would update the inputs.conf entry to use my custom sourcetype.

0 Karma

rfc360
New Member

So, should I put the full path to the .path based on the indexer under the deployment apps subdirectory or based on the forwarder server based on apps sub directory? Based on your feedback I will look into both suggestions you have made and report back tomorrow. Thanks again for your quick responses.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

It would be the full path on the Forwarder. If you're getting data from that script to Splunk already, you can just search for the data and look for the value in the source field in Splunk Web (and use that).

0 Karma

rfc360
New Member

Okay, so, this is what I see in the source field in splunk web

"C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1""

When I put that in the props.conf on the indexer I still get the warnings. I apologize for the delay. Initially, I was not on the indexer, and I didn't have permissions to it. Now, I do. This is what I have tried so far.

  1. [source::"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File \"C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1\""]
    TRUNCATE = 0

  2. [source::...LongRunningQueriesRpt.ps1]
    TRUNCATE = 0

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...