Hi at all,
I have very long events (more than 10,000 chars) that I have to send via syslog (udp) to a third party system.
I'm working on an Heavy Forwarder with Splunk 8.0.3 running on Linux Red Hat.
Events are truncated at 1024.
I know that there the parameter maxEventSize to put in outputs.conf but it doesn't run in my situation (I inserted a very greater number in maxEventSize).
Had anyone the same problem?
Thanks in advance.
Ciao.
Giuseppe
Hi,
What number did you set on maxEventSize ?
Did you restart the splunk service?
Hi @Brujita,
Thank you for your answer.
I followed this problem with Splunk Support
In few words: I Tried to set maxEventSize to many values 1B, 65,000, 25,000 (yes: i restarted Splunk!) and I found that also adding a second pipeline the max number was between 20,000 and 26,000, otherwise the queues were full and system blocked.
There's no solution, so I changed the approach, using the "Splunk App for CEF" and reducing the message lenght.
Thank you again.
Ciao.
Giuseppe
That is great @gcusello !! Thanks for the input.
Brujita
Hi @Brujita,
if my answer solves your need, please accept the answer fot the other people of Community.
Ciao and happy splunking.
Giuseppe
P.S.: Karma Points are appreciated 😉