Hi at all,
I have very long events (more than 10,000 chars) that I have to send via syslog (udp) to a third party system.
I'm working on an Heavy Forwarder with Splunk 8.0.3 running on Linux Red Hat.
Events are truncated at 1024.
I know that there the parameter maxEventSize to put in outputs.conf but it doesn't run in my situation (I inserted a very greater number in maxEventSize).
Had anyone the same problem?
Thanks in advance.
Thank you for your answer.
I followed this problem with Splunk Support
In few words: I Tried to set maxEventSize to many values 1B, 65,000, 25,000 (yes: i restarted Splunk!) and I found that also adding a second pipeline the max number was between 20,000 and 26,000, otherwise the queues were full and system blocked.
There's no solution, so I changed the approach, using the "Splunk App for CEF" and reducing the message lenght.
Thank you again.