Getting Data In

LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded -Audit.log

Communicator

Hi folks,

I am encountering this error in the splunkd.log. I've looked on how to increase the truncating limit, but am hesitant to apply it here because it is referencing "/opt/splunk/var/log/splunk/audit.log", which is an internal source as I see it. Where would I change the props.conf's TRUNCATE value and have it only apply to this file?

0 Karma
1 Solution

Path Finder

You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this:

[source::.../var/log/splunk/audit.log(.\d+)?]
TRUNCATE = 0

which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.

Before:

$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 10000

After:

$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 0

View solution in original post

Path Finder

You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this:

[source::.../var/log/splunk/audit.log(.\d+)?]
TRUNCATE = 0

which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.

Before:

$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 10000

After:

$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 0

View solution in original post

Communicator

This did the trick. Thanks for the btool query to verify!

0 Karma

New Member

I am having same issue.
It is in a specific class and we have added the TRUNCATE in the $SPLUNK_HOME/etc/deployment_apps//local/props.conf, deployed it and verified it was at destination but still getting thousands of these messages.

0 Karma

Explorer

See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

This is a great site that shows which servers should contain the correct Splunk configuration files.

In your case, you are settings TRUNCATE (parsing phase) in your props.conf and sending it to your Splunk forwarder server. Based on the above link the only time you should set parsing on a forwarder is when it's a heavy forwarder. Otherwise, you should set your parsing configuration on your indexer.

So, trying adding your TRUNCATE setting in your props.conf on your indexer server and see if that resolves your issue.

0 Karma