Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Prevent splunk from splitting file dump into 2 events?

msarro
Builder
‎07-15-2013 12:42 PM

Hello,
I have a universal forwarders installed on several servers. Each one is configured to monitor a license utilization file which is regenerated every day by a piece of 3rd party software. However, the file is being split into two events for some reason on only a few of our servers. The split always occurs at 257 lines.

Our props.conf file on our indexers reads like this:
[TRUNKING_AS_LICENSE_FILE]
MAX_TIMESTAMP_LOOKAHEAD = 40
TZ = UTC
MAX_EVENTS=10000

So what exactly would be causing the file to line break when I search with the search head? Is it a limit on the search head side of things to not show events longer than 256 lines? Any advice would be helpful.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-15-2013 12:51 PM

Splunk limits events to 10000 characters by default. So in addition to setting MAX_EVENTS, you may also want to set TRUNCATE

TRUNCATE = 0

means "never truncate" but you can also set a large integer value as well...

The Splunk indexer does not really care about silly human things like line breaks or lengths. 🙂 These settings are to keep things sane for us. I have seen events that were over 10K in size, and Splunk worked fine. However - it is not possible to see an event this large in the Splunk UI. Or at least, you can't view the entire event all at once. But it is there in Splunk...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-15-2013 12:51 PM

Splunk limits events to 10000 characters by default. So in addition to setting MAX_EVENTS, you may also want to set TRUNCATE

TRUNCATE = 0

means "never truncate" but you can also set a large integer value as well...

The Splunk indexer does not really care about silly human things like line breaks or lengths. 🙂 These settings are to keep things sane for us. I have seen events that were over 10K in size, and Splunk worked fine. However - it is not possible to see an event this large in the Splunk UI. Or at least, you can't view the entire event all at once. But it is there in Splunk...

Reply
Solved! Jump to solution

msarro
Builder
‎07-16-2013 06:36 AM

This worked exactly as I needed, thank you! I now have beautiful 281 line events, ha!

0 Karma
Reply
Solved! Jump to solution

msarro
Builder
‎07-15-2013 02:13 PM

I will give this a try and see if it resolves the problem tomorrow morning. Thank you for the feedback either way!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...