Getting Data In

How to increase the event size which is limited to 10000 in Splunk cloud ?

New Member

I am not able to fetch the full JSON payload using the scripted input in the Splunk cloud.
Here, I have installed a universal forwarder that is connected to Splunk cloud, then I have created a simple app that will run the python script. The script will give the API output in the JSON format. While fetching the event in the search app I am not able to see my full JSON payload which is truncating at the 10000 characters where my payload is having more than 30000 characters.

As per the suggestions from the Splunk answer which we change the limits.conf and props.conf files in the /system/default
still not able to sort out.

Please come up with solutions.
Thank you.

0 Karma



If you use Splunk Cloud Managed, you can make this change in Splunk Cloud through the web interface.

Settings > Sourcetypes > Select the Sourcetype you are using > click the Advanced tab > here the TRUNCATE 10000 option appears. If you change this to a higher value, this will probably solve your issue.

However as @nickhillscpl suggested, if you use a heavy forwarder then you'll probably have to make the change on the heavy forwarder.

Kind regards,

Ultra Champion

To change truncation limits you need to apply this at the first parsing stage.

If you have UF>HF>Splunk Cloud then you need to make the change on the HF.
If you have UF>Splunk Cloud, then you need the change made on the indexers.

As a general note, you should NEVER make a change in system/default!
Changes should only be in system/local - but preferably in $SPLUNK_HOME/etc/apps/YOURAPPNAME/[default|local]

You say you have created an app - presumably which you push onto your UFs?
You should add the stanza into props.conf in that app (in /default if you maintain the app, in /local if its a third party app) - It wont take any effect on your UFs, but you can deploy the same app (with the inputs disabled) on your HF/indexers.

in props.conf

If my comment helps, please give it a thumbs up!
0 Karma


Did you submit a support ticket to have the limits increased? If not, that's what you want to do because the settings need to be made on the indexers and maybe the search heads too. I forget, but either way you need a support ticket I believe.

0 Karma


Set TRUNCATE = 0 in props.conf for your sourcetype.

0 Karma
Get Updates on the Splunk Community!

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...