Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Prevent splunk from splitting file dump into 2 events?

msarro
Builder
‎07-15-2013 12:42 PM

Hello,
I have a universal forwarders installed on several servers. Each one is configured to monitor a license utilization file which is regenerated every day by a piece of 3rd party software. However, the file is being split into two events for some reason on only a few of our servers. The split always occurs at 257 lines.

Our props.conf file on our indexers reads like this:
[TRUNKING_AS_LICENSE_FILE]
MAX_TIMESTAMP_LOOKAHEAD = 40
TZ = UTC
MAX_EVENTS=10000

So what exactly would be causing the file to line break when I search with the search head? Is it a limit on the search head side of things to not show events longer than 256 lines? Any advice would be helpful.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-15-2013 12:51 PM

Splunk limits events to 10000 characters by default. So in addition to setting MAX_EVENTS, you may also want to set TRUNCATE

TRUNCATE = 0

means "never truncate" but you can also set a large integer value as well...

The Splunk indexer does not really care about silly human things like line breaks or lengths. 🙂 These settings are to keep things sane for us. I have seen events that were over 10K in size, and Splunk worked fine. However - it is not possible to see an event this large in the Splunk UI. Or at least, you can't view the entire event all at once. But it is there in Splunk...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-15-2013 12:51 PM

Splunk limits events to 10000 characters by default. So in addition to setting MAX_EVENTS, you may also want to set TRUNCATE

TRUNCATE = 0

means "never truncate" but you can also set a large integer value as well...

The Splunk indexer does not really care about silly human things like line breaks or lengths. 🙂 These settings are to keep things sane for us. I have seen events that were over 10K in size, and Splunk worked fine. However - it is not possible to see an event this large in the Splunk UI. Or at least, you can't view the entire event all at once. But it is there in Splunk...

Reply
Solved! Jump to solution

msarro
Builder
‎07-16-2013 06:36 AM

This worked exactly as I needed, thank you! I now have beautiful 281 line events, ha!

0 Karma
Reply
Solved! Jump to solution

msarro
Builder
‎07-15-2013 02:13 PM

I will give this a try and see if it resolves the problem tomorrow morning. Thank you for the feedback either way!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...