Solved: Using Transforms.conf truncates my data at 3925 ch...

kendrickt · ‎02-17-2015

Ladies and Gents,

I'm struggling trying to transform some of my data.

props.conf

[st1]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = 0
TRANSFORMS-1 = t1, t2
BREAK_ONLY_BEFORE_DATE = false

transforms.conf

[t1]
REGEX = ^(.*)data(data I want to capture)data(.*)$
FORMAT = $1<newfield>$2</newfield>$3
DEST_KEY = _raw

[t2]
REGEX = ^(.*)different data(different data I want to capture)different data(.*)$
FORMAT = $1<newfield1>$2</newfield2>$3
DEST_KEY = _raw

There problem I have is when the data is passed to transforms.conf, the resulting event is truncated at 3925 characters. whereas the data that isn't modified by transforms.conf remains fine.

Please help

Thanks

kendrickt · ‎02-18-2015

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

View solution in original post

kendrickt · ‎02-18-2015

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

saurabh_tek11 · ‎12-19-2017

Thanks for sharing your finding

Using Transforms.conf truncates my data at 3925 characters - Why?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Using Transforms.conf truncates my data at 3925 characters - Why?

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits