Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

MAX_EVENTS in props.conf not working

fcologno
New Member
‎07-02-2018 05:51 AM

Hi everyone,

We have the following Splunk configuration:

  • Splunk Cloud instance (managed)
  • Universal Forwarder
  • Monitoring log

We need to index event logs with more than 256 lines.
props.conf (located at: SplunkUniversalForwarder\etc\system\local) has the following configuration:

[esb]
disabled = false
TRUNCATE = 0
LINE_BREAKER = ^.{4}-.{2}-.{2}\s.*
SHOULD_LINEMERGE = true
MAX_EVENTS = 100000

At search time, events appear truncated at max of 257 lines so, I suppose, that MAX_EVENTS props.conf isn't working.

How can i solve this issue?

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎07-02-2018 07:13 AM

These are Indexer configurations, not UF configurations. They need to be deployed to your Indexer tier inside of Splunk Cloud. You will probably need to open a support ticket to get that done. They are in the wrong place.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...