Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MAX_EVENTS in props.conf not working

fcologno
New Member
‎07-02-2018 05:51 AM

Hi everyone,

We have the following Splunk configuration:

  • Splunk Cloud instance (managed)
  • Universal Forwarder
  • Monitoring log

We need to index event logs with more than 256 lines.
props.conf (located at: SplunkUniversalForwarder\etc\system\local) has the following configuration:

[esb]
disabled = false
TRUNCATE = 0
LINE_BREAKER = ^.{4}-.{2}-.{2}\s.*
SHOULD_LINEMERGE = true
MAX_EVENTS = 100000

At search time, events appear truncated at max of 257 lines so, I suppose, that MAX_EVENTS props.conf isn't working.

How can i solve this issue?

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2018 07:13 AM

These are Indexer configurations, not UF configurations. They need to be deployed to your Indexer tier inside of Splunk Cloud. You will probably need to open a support ticket to get that done. They are in the wrong place.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...