How to edit props.conf to override Splunk truncati...

rh0dium · ‎12-06-2016

Hi Guys,

So I figured out that my Splunk instance is truncating my JSON data. That's not good and I'd like to remedy this. In reading, it looks as though I need to override my props.conf file by using the local/props.conf file. Since I'm using a Universal Forwarder it appears I don't need touch this ( http://wiki.splunk.com/Community:HowIndexingWorks ) as from the picture TRUNCATE happens in the parsing stage on the main server.

So on my main server I added the following stanza. I then read ( http://docs.splunk.com/Documentation/Splunk/6.5.1/admin/Propsconf ) that I simply need to hit | extract reload=T and I should be in business.

Well it didn't work! Can someone with a bigger brain please point out my error? On the forwarder side I'm am monitoring the following file. FWIW - I also tried editing the UF side props.conf and that didn't work either.

/opt/splunk/splunkforwarder/bin/splunk add monitor /var/log/django/ -sourcetype json

/opt/splunk/etc/system/local/props.conf

[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
TRUNCATE = 30000
KV_MODE = none
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/

Finally here is the image of it getting truncated at 10000 which is the default.

jplumsdaine22 · ‎01-05-2017

From your screenshot I can see the sourctype is json, not _json as your per your props.conf. Have you tried changing the stanza name in props.conf?

How to edit props.conf to override Splunk truncating JSON data?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!