Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to set Splunk Cloud HTTP-INPUT Truncating to 10000 Characters

CS_
Path Finder
‎02-15-2022 03:47 AM

Hi all,

We are using Splunk Cloud, and I am using the https://http-inputs-mydomain.com/services/collector/raw to send a log file for ingestion.

The problem is that each line in this log file can be quite big, 25000 characters or more.

Splunk Cloud is truncating at 10,000 characters.

I can find steps for handling this on Splunk On-Prem for Heavy Log Forwarders etc. but doesn't seem to be addressed for the http-inputs on cloud.

Any idea's on how I can change it to accept larger logs?

Thanks,

Chris

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-15-2022 03:56 AM

Hey @CS_,

Can you try defining the TRUNCATE parameter in the props.conf file for the sourcetype that you have defined in the inputs.conf for HEC Token input. The default value of this parameter is 10000, hence the reason for truncating at 10000 characters. You can increase the value to accept larger logs.

More details for the parameter can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Propsconf 

---
If you find the answer helpful, an upvote/karma is appreciated

View solution in original post

Reply
Solved! Jump to solution

CS_
Path Finder
‎02-16-2022 08:35 AM

We were able to get it working by amending the source type on the HEC token, and setting the character limit to 1mb (1,000,000 characters)

0 Karma
Reply
Solved! Jump to solution
Solution

tshah-splunk
Splunk Employee
Splunk Employee
‎02-15-2022 03:56 AM

Hey @CS_,

Can you try defining the TRUNCATE parameter in the props.conf file for the sourcetype that you have defined in the inputs.conf for HEC Token input. The default value of this parameter is 10000, hence the reason for truncating at 10000 characters. You can increase the value to accept larger logs.

More details for the parameter can be found here - https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Propsconf 

---
If you find the answer helpful, an upvote/karma is appreciated
Reply
Solved! Jump to solution

CS_
Path Finder
‎02-15-2022 04:03 AM

thanks @tshah-splunk I'll have a look and see if I can make that change. will update with result.

-C

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2022 08:46 PM

Yes, the TRUNCATE parameter should definitely work as you are using services/collector/raw endpoint for HEC.

Just to keep in mind, the TRUNCATE parameter or any other index-time/parsing parameters will not work if you are using just the regular /services/collector endpoint.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...