Getting Data In

How to increase the event size which is limited to 10000 in Splunk cloud ?

vasutiwari
New Member

Hi,
I am not able to fetch the full JSON payload using the scripted input in the Splunk cloud.
Here, I have installed a universal forwarder that is connected to Splunk cloud, then I have created a simple app that will run the python script. The script will give the API output in the JSON format. While fetching the event in the search app I am not able to see my full JSON payload which is truncating at the 10000 characters where my payload is having more than 30000 characters.

As per the suggestions from the Splunk answer which we change the limits.conf and props.conf files in the /system/default
still not able to sort out.

Please come up with solutions.
Thank you.

0 Karma

willemjongeneel
Communicator

Hello,

If you use Splunk Cloud Managed, you can make this change in Splunk Cloud through the web interface.

Settings > Sourcetypes > Select the Sourcetype you are using > click the Advanced tab > here the TRUNCATE 10000 option appears. If you change this to a higher value, this will probably solve your issue.

However as @nickhillscpl suggested, if you use a heavy forwarder then you'll probably have to make the change on the heavy forwarder.

Kind regards,
Willem

nickhills
Ultra Champion

To change truncation limits you need to apply this at the first parsing stage.

If you have UF>HF>Splunk Cloud then you need to make the change on the HF.
If you have UF>Splunk Cloud, then you need the change made on the indexers.

As a general note, you should NEVER make a change in system/default!
Changes should only be in system/local - but preferably in $SPLUNK_HOME/etc/apps/YOURAPPNAME/[default|local]

You say you have created an app - presumably which you push onto your UFs?
You should add the stanza into props.conf in that app (in /default if you maintain the app, in /local if its a third party app) - It wont take any effect on your UFs, but you can deploy the same app (with the inputs disabled) on your HF/indexers.

in props.conf

[yoursourcetype]
TRUNCATE = 0
If my comment helps, please give it a thumbs up!
0 Karma

jkat54
SplunkTrust
SplunkTrust

Did you submit a support ticket to have the limits increased? If not, that's what you want to do because the settings need to be made on the indexers and maybe the search heads too. I forget, but either way you need a support ticket I believe.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Set TRUNCATE = 0 in props.conf for your sourcetype.

[_json]
TRUNCATE = 0 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...