Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- LineBreakingProcessor - Truncating line because li...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I am encountering this error in the splunkd.log. I've looked on how to increase the truncating limit, but am hesitant to apply it here because it is referencing "/opt/splunk/var/log/splunk/audit.log", which is an internal source as I see it. Where would I change the props.conf's TRUNCATE value and have it only apply to this file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this:
[source::.../var/log/splunk/audit.log(.\d+)?]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this:
[source::.../var/log/splunk/audit.log(.\d+)?]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'source::.../var/log/splunk/audit.log' | grep TRUNCATE
TRUNCATE = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This did the trick. Thanks for the btool query to verify!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having same issue.
It is in a specific class and we have added the TRUNCATE in the $SPLUNK_HOME/etc/deployment_apps//local/props.conf, deployed it and verified it was at destination but still getting thousands of these messages.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
This is a great site that shows which servers should contain the correct Splunk configuration files.
In your case, you are settings TRUNCATE (parsing phase) in your props.conf and sending it to your Splunk forwarder server. Based on the above link the only time you should set parsing on a forwarder is when it's a heavy forwarder. Otherwise, you should set your parsing configuration on your indexer.
So, trying adding your TRUNCATE setting in your props.conf on your indexer server and see if that resolves your issue.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
