Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there an upper limit on maxEventSize of outputs.conf?

HiroshiSatoh
Champion
‎02-26-2017 05:33 PM

Currently, we make the following settings, but we have confirmed the phenomenon that the log is interrupted at about 2000 bytes.

[Syslog: win-event-log]
・・・・・
Type = tcp
MaxEventSize = 65536

As the setting of the receiving side rsyslog, the size is set to a large value ($ MaxMessageSize 64k).

Splunk 6.5.1
Linux

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-26-2017 09:57 PM

Yes, I am transferring from Splunk to rsyslog.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎02-27-2017 05:17 AM

Are you using a Heavy Forwarder?

Docs states sending syslog out needs a heavy forwarder, and also mentions using the SEDCMD to remove new lines from Win events...I have seen new lines cause some havoc with events sent to syslog servers, breaking events into multiple pieces...

You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. This option is useful for removing newline characters from Windows Event Log events.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

- MattyMo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...