Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Long json got truncated even though TRUNCATE is set to 0

nminale
Engager
‎11-13-2013 09:28 AM

Hello,

I would like to add a log file containing json documents - one json per line. The json documents are pretty long (longer than 10,000 characters) and I don't want them to get truncated so I set the props.conf as follows.

NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
KV_MODE=json
LINE_BREAKER=([\n\r]+)({)

During data preview, everything looks good. Nothing got truncated at all. However, once I completed the process and searched for it, the data is truncated to 10,000 characters, so Splunk doesn't interpret it as json.

I saw the warning in splunkd.log below.

WARN  LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded with a line length >= 10506 - data_source="/opt/readonly/log-archive/mylogfile.log", data_host="test", data_sourcetype="test"

Any help would be appreciated.

Thank you.

Tags (2)
Reply

aelliott
Motivator
‎12-11-2013 11:05 AM

The search may be truncating it.
Perhaps maxvaluesize (limits.conf)
See http://docs.splunk.com/Documentation/Splunk/6.0/Admin/Limitsconf

Also wanted to note that I found a similar post that helped others here:
http://answers.splunk.com/answers/60064/json-event-truncate0

0 Karma
Reply

mwk1000
Path Finder
‎12-11-2013 10:54 AM

I have the same problem, I have good results being returned but the truncate statement does not seem to work. One note the { is a special character and should be escaped (\{) if you are actually looking for it.

I expected to get the whole JSON structure but it is still being chopped yet sourcetyped as the stanza i have defined.

--- I see the web for stripped the \ so ignore if it happened to you as well - Cheers

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...