Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an upper limit on maxEventSize of outputs.conf?

HiroshiSatoh
Champion
‎02-26-2017 05:33 PM

Currently, we make the following settings, but we have confirmed the phenomenon that the log is interrupted at about 2000 bytes.

[Syslog: win-event-log]
・・・・・
Type = tcp
MaxEventSize = 65536

As the setting of the receiving side rsyslog, the size is set to a large value ($ MaxMessageSize 64k).

Splunk 6.5.1
Linux

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-26-2017 09:57 PM

Yes, I am transferring from Splunk to rsyslog.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎02-27-2017 05:17 AM

Are you using a Heavy Forwarder?

Docs states sending syslog out needs a heavy forwarder, and also mentions using the SEDCMD to remove new lines from Win events...I have seen new lines cause some havoc with events sent to syslog servers, breaking events into multiple pieces...

You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. This option is useful for removing newline characters from Windows Event Log events.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...