Solved: Ingesting data from a syslog server, Splunk is tru...

tmarlette · ‎05-17-2016

I am ingesting data from a syslog server, and some of those file paths are pretty long. It appears that Splunk is truncating these file paths before it writes the 'source' field. Is there a setting to disable this?

This is what I'm seeing with my search:

index=syslog | stats count by source

Results:

/data/syslog/2016/05/17/...Device/messages  5
/data/syslog/2016/05/17/...dor/messages 8
/data/syslog/2016/05/17/...er/messages  2
/data/syslog/2016/05/17/...ice/messages 5
/data/syslog/2016/05/17/...or/messages  6
/data/syslog/2016/05/17/...orized/messages  7
/data/syslog/2016/05/17/...r/messages   4
/data/syslog/2016/05/17/...rized/messages   3

I'm trying to remove the '...' extensions, and show the whole file path. Would I use a * in the place of the '...' in inputs.conf?

tmarlette · ‎06-02-2016

This was not an issue at the Splunk level, this was an error within rsyslog that is truncating the log files.

View solution in original post

tmarlette · ‎06-02-2016

This was not an issue at the Splunk level, this was an error within rsyslog that is truncating the log files.

View solution in original post

woodcock · ‎05-29-2016

Change your visualization to "Statistics Table" instead of whatever it is now.

jkat54 · ‎05-18-2016

Yes, please provide a copy of the relevant inputs.conf, props.conf, and transforms.conf stanzas related to this sourcetype. Splunk does not truncate by default. and '...' in inputs.conf is the same as .* in regex. It should grab everything.

masonmorales · ‎05-17-2016

What does your inputs.conf look like?

masonmorales · ‎05-17-2016

Relevant props/transforms too, please.

mtranchita · ‎05-17-2016

from the way the question is written it isn't clear that this a UI artifact of the search or the actual value of the source field. is it possible to provide more info?

Ingesting data from a syslog server, Splunk is truncating file paths before being written to the source field. How do I disable this?