I need to change the TRUNCATE= value to a higher one as I'm getting truncate warnings in my events. However, we have numerous props.conf files - several for the different apps, the default, and the one that is pushed to all of our forwarders and indexers from our deployment server. I could manually go in and change them all, but I want to figure out which one takes precedence. The log entry, as far as I can tell, doesn't tell me which app (if it is, in fact, an app) that is causing the truncation issue.
08-14-2012 08:22:51.849 -0700 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 10975
Is it the event that occurred directly before this error?
We were told that the props.conf files are cumulative, but if you've got four different TRUNCATE= values across 10 props.conf files, how do you know which is being used?
This is probably a good place to start:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
Also, you need to know that truncation of events take place in the parsing phase, which can happen on either a heavy forwarder or an indexer, so there is no need to push such configs to a Universal forwarder. For more information on that subject, see;
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
Hope this helps,
Kristian