I am getting this error in the splunkd.log.
i've seen a previous post which talks about the Line Breaking settings within Props.conf, but I don't have that section in any of my props,conf either system or nmon (which is the element being complained about)
in the Props.conf I have for NMON in [/apps/splunk-6.2.2-255606/splunk/etc/apps/nmon/default] directory I have the nmon config as
[nmon_config]
BREAK_ONLY_BEFORE=CONFIG,
MAX_EVENTS=100000
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%d-%b-%Y:%H:%M
TIME_PREFIX=CONFIG,
TRUNCATE=0
The Truncate=0 would lead me to beleive, from what I've seen on a previous post, don't truncate, but clearly it is.
Can anyone suggest which setting might be influencing this please?
@john_howley : The splunkd error pertains to the sourcetype=lsof as reported in data_sourcetype=lsof. You will need a [lsof] stanza defined in props.conf to apply to these events:
example:
set in $SPLUNK_HOME/etc/system/local/props.conf on all of your indexers:
[lsof]
TRUNCATE=0
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Use the following attributes to define the length of a line.
TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
@john_howley : The splunkd error pertains to the sourcetype=lsof as reported in data_sourcetype=lsof. You will need a [lsof] stanza defined in props.conf to apply to these events:
example:
set in $SPLUNK_HOME/etc/system/local/props.conf on all of your indexers:
[lsof]
TRUNCATE=0
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Use the following attributes to define the length of a line.
TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
Thanks rphillips - that worked..
so , should we do this change on the indexer side or splunk forwarder side?
as an additional note there are three .conf files that do contain a =1000000 they are
indexes.conf:maxMetaEntries = 1000000
limits.conf:max_chunk_queue_size = 1000000
props.conf:TRUNCATE = 1000000
The TRUNCATE one looks hopeful, but comes from the [kvstore] stanza which I initially thought was referring to certificate, but now I see it is key values - I will try creating a local version to allow > 1000000 and see what occurs.
[kvstore]
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = datetime
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
INDEXED_EXTRACTIONS = json
KV_MODE = none
TRUNCATE = 1000000
Adjusting that setting in ..local/props.conf and restarting had no affect - stil lget the same error.