Getting Data In

How to change the the truncating limit in the props.conf file for a scripted input?

New Member

I have in the input.conf as an example a scripted input on the server where the Splunk Universal Forwarder is installed

[script://.\bin\LongRunningQueriesRpt.path]
interval=*/1 * * * 1-5
disabled = 0
sourcetype = csv
send_index_as_argument_for_path = 0

In the input file is the execution of the Powershell Script.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "$SPLUNK_HOME\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"

It runs fine but in the splunkd.log file I am seeing line Breaking Processor warning messages as noted below.

WARN  LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length
 >= 50869 - data_source="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1"", data_host="host_name", data_sourcetype="csv"

I understand I have to update the props.conf file on the indexer as that is where the parsing happens. But I am not sure what to use, as the examples I've seen have been for log files. So, I am not sure what I should put in the source section to eliminate the messages. I only want/need to do this for this particular script. Any ideas I can try?

[Source::?]
TRUNCATE = 0 

The above is what I want to use but Just not sure what to put into the source. Thanks in advance for any help anyone can provide.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try like this

[source::...LongRunningQueriesRpt.path]
TRUNCATE = 0

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try like this

[source::...LongRunningQueriesRpt.path]
TRUNCATE = 0

View solution in original post

0 Karma

New Member

I'm accepting somesoni2 answer regarding using a custom sourcetype. After working with the splunk admin that fix the truncation errors. Thanks.

0 Karma

New Member

I put this update in the props.conf on the indexer server and restarted the service and it warning messages are still coming in. So, should it go on the forwarder server instead? I put exactly what you had in the example. Should I remove the ... and put the actual windows path?

0 Karma

SplunkTrust
SplunkTrust

Try with full path.

I would create a new sourcetype (instead of using default csv sourcetype) in this case. I would define my custom sourcetype on Indexer and would include the TRUNCATE setting in it and would update the inputs.conf entry to use my custom sourcetype.

0 Karma

New Member

So, should I put the full path to the .path based on the indexer under the deployment apps subdirectory or based on the forwarder server based on apps sub directory? Based on your feedback I will look into both suggestions you have made and report back tomorrow. Thanks again for your quick responses.

0 Karma

SplunkTrust
SplunkTrust

It would be the full path on the Forwarder. If you're getting data from that script to Splunk already, you can just search for the data and look for the value in the source field in Splunk Web (and use that).

0 Karma

New Member

Okay, so, this is what I see in the source field in splunk web

"C:\
Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File "C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1""

When I put that in the props.conf on the indexer I still get the warnings. I apologize for the delay. Initially, I was not on the indexer, and I didn't have permissions to it. Now, I do. This is what I have tried so far.

  1. [source::"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File \"C:\Program Files\SplunkUniversalForwarder\etc\apps\appname\bin\LongRunningQueriesRpt.ps1\""]
    TRUNCATE = 0

  2. [source::...LongRunningQueriesRpt.ps1]
    TRUNCATE = 0

0 Karma