Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an upper limit on maxEventSize of outputs.conf?

HiroshiSatoh
Champion
‎02-26-2017 05:33 PM

Currently, we make the following settings, but we have confirmed the phenomenon that the log is interrupted at about 2000 bytes.

[Syslog: win-event-log]
・・・・・
Type = tcp
MaxEventSize = 65536

As the setting of the receiving side rsyslog, the size is set to a large value ($ MaxMessageSize 64k).

Splunk 6.5.1
Linux

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mattymo
Splunk Employee
Splunk Employee
‎02-26-2017 05:55 PM

No upper limit is posted in the spec file

maxEventSize = <integer>
* If specified, sets the maximum size of an event that splunk will transmit.
* All events excedding this size will be truncated.
* Defaults to 1024 bytes.

https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Outputsconf

Are you forwarding from Splunk to rsyslog?

- MattyMo
0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎02-26-2017 09:57 PM

Yes, I am transferring from Splunk to rsyslog.

0 Karma
Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎02-27-2017 05:17 AM

Are you using a Heavy Forwarder?

Docs states sending syslog out needs a heavy forwarder, and also mentions using the SEDCMD to remove new lines from Win events...I have seen new lines cause some havoc with events sent to syslog servers, breaking events into multiple pieces...

You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. This option is useful for removing newline characters from Windows Event Log events.

http://docs.splunk.com/Documentation/Splunk/6.5.2/Forwarding/Forwarddatatothird-partysystemsd

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...