Getting Data In

LineBreakingProcessor - Truncating line because limit of 1000000 bytes has been exceeded with a line length >= 1003520 - data_source="lsof", data_host="gbrdcr10328n02", data_sourcetype="lsof"

Path Finder

I am getting this error in the splunkd.log.
i've seen a previous post which talks about the Line Breaking settings within Props.conf, but I don't have that section in any of my props,conf either system or nmon (which is the element being complained about)
in the Props.conf I have for NMON in [/apps/splunk-6.2.2-255606/splunk/etc/apps/nmon/default] directory I have the nmon config as

nmon config stanza

[nmon_config]

BREAK_ONLY_BEFORE=CONFIG,
MAX_EVENTS=100000
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_FORMAT=%d-%b-%Y:%H:%M
TIME_PREFIX=CONFIG,
TRUNCATE=0

The Truncate=0 would lead me to beleive, from what I've seen on a previous post, don't truncate, but clearly it is.

Can anyone suggest which setting might be influencing this please?

1 Solution

Splunk Employee
Splunk Employee

@john_howley : The splunkd error pertains to the sourcetype=lsof as reported in data_sourcetype=lsof. You will need a [lsof] stanza defined in props.conf to apply to these events:

example:
set in $SPLUNK_HOME/etc/system/local/props.conf on all of your indexers:
[lsof]
TRUNCATE=0

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Use the following attributes to define the length of a line.

TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.

View solution in original post

Splunk Employee
Splunk Employee

@john_howley : The splunkd error pertains to the sourcetype=lsof as reported in data_sourcetype=lsof. You will need a [lsof] stanza defined in props.conf to apply to these events:

example:
set in $SPLUNK_HOME/etc/system/local/props.conf on all of your indexers:
[lsof]
TRUNCATE=0

restart splunk
$SPLUNK_HOME/bin
./splunk restart

Use the following attributes to define the length of a line.

TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.

View solution in original post

Path Finder

Thanks rphillips - that worked..

0 Karma

Explorer

so , should we do this change on the indexer side or splunk forwarder side?

0 Karma

Path Finder

as an additional note there are three .conf files that do contain a =1000000 they are

indexes.conf:maxMetaEntries = 1000000
limits.conf:max_chunk_queue_size = 1000000
props.conf:TRUNCATE = 1000000

The TRUNCATE one looks hopeful, but comes from the [kvstore] stanza which I initially thought was referring to certificate, but now I see it is key values - I will try creating a local version to allow > 1000000 and see what occurs.
[kvstore]
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = datetime
TIME_FORMAT = %m-%d-%Y %H:%M:%S.%l %z
INDEXED_EXTRACTIONS = json
KV_MODE = none
TRUNCATE = 1000000

0 Karma

Path Finder

Adjusting that setting in ..local/props.conf and restarting had no affect - stil lget the same error.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!