Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog forwarding to 3rd party: Why are events truncated at 1024 bytes?

gcusello
SplunkTrust
SplunkTrust
‎06-26-2020 02:15 AM

Hi at all,

I have very long events (more than 10,000 chars) that I have to send via syslog (udp) to a third party system.

I'm working on an Heavy Forwarder with Splunk 8.0.3 running on Linux Red Hat.

Events are truncated at 1024.

I know that there the parameter maxEventSize to put in outputs.conf but it doesn't run in my situation (I inserted a very greater number in maxEventSize).

Had anyone the same problem?

Thanks in advance.

Ciao.

Giuseppe

Labels (1)
Labels
0 Karma
Reply

Brujita
Engager
‎08-04-2020 05:36 PM

Hi,

What number did you set on maxEventSize ?

 

Did you restart the splunk service?

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-06-2020 01:14 AM

Hi @Brujita,

Thank you for your answer.

I followed this problem with Splunk Support

In few words: I Tried to set maxEventSize to many values 1B, 65,000, 25,000 (yes: i restarted Splunk!) and I found that also adding a second pipeline the max number was between 20,000 and 26,000, otherwise the queues were full and system blocked.

There's no solution, so I changed the approach, using the "Splunk App for CEF" and reducing the message lenght.

Thank you again.

Ciao.

Giuseppe

0 Karma
Reply

Brujita
Engager
‎08-23-2020 07:51 PM

That is great @gcusello !! Thanks for the input.

Brujita

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-23-2020 11:11 PM

Hi @Brujita,

if my answer solves your need, please accept the answer fot the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...