Re: Multiple props.conf files

jtm7x2 · ‎08-14-2012

I need to change the TRUNCATE= value to a higher one as I'm getting truncate warnings in my events. However, we have numerous props.conf files - several for the different apps, the default, and the one that is pushed to all of our forwarders and indexers from our deployment server. I could manually go in and change them all, but I want to figure out which one takes precedence. The log entry, as far as I can tell, doesn't tell me which app (if it is, in fact, an app) that is causing the truncation issue.

08-14-2012 08:22:51.849 -0700 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 10975

Is it the event that occurred directly before this error?

We were told that the props.conf files are cumulative, but if you've got four different TRUNCATE= values across 10 props.conf files, how do you know which is being used?

kristian_kolb · ‎08-14-2012

This is probably a good place to start:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Also, you need to know that truncation of events take place in the parsing phase, which can happen on either a heavy forwarder or an indexer, so there is no need to push such configs to a Universal forwarder. For more information on that subject, see;

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

Multiple props.conf files

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Multiple props.conf files

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk