Getting Data In

Using Transforms.conf truncates my data at 3925 characters - Why?

kendrickt
Path Finder

Ladies and Gents,

I'm struggling trying to transform some of my data.

props.conf

[st1]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = 0
TRANSFORMS-1 = t1, t2
BREAK_ONLY_BEFORE_DATE = false

transforms.conf

[t1]
REGEX = ^(.*)data(data I want to capture)data(.*)$
FORMAT = $1<newfield>$2</newfield>$3
DEST_KEY = _raw

[t2]
REGEX = ^(.*)different data(different data I want to capture)different data(.*)$
FORMAT = $1<newfield1>$2</newfield2>$3
DEST_KEY = _raw

There problem I have is when the data is passed to transforms.conf, the resulting event is truncated at 3925 characters. whereas the data that isn't modified by transforms.conf remains fine.

Please help

Thanks

1 Solution

kendrickt
Path Finder

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

View solution in original post

kendrickt
Path Finder

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

saurabh_tek11
Communicator

Thanks for sharing your finding

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...