Solved: Using Transforms.conf truncates my data at 3925 ch...

kendrickt · ‎02-17-2015

Ladies and Gents,

I'm struggling trying to transform some of my data.

props.conf

[st1]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = 0
TRANSFORMS-1 = t1, t2
BREAK_ONLY_BEFORE_DATE = false

transforms.conf

[t1]
REGEX = ^(.*)data(data I want to capture)data(.*)$
FORMAT = $1<newfield>$2</newfield>$3
DEST_KEY = _raw

[t2]
REGEX = ^(.*)different data(different data I want to capture)different data(.*)$
FORMAT = $1<newfield1>$2</newfield2>$3
DEST_KEY = _raw

There problem I have is when the data is passed to transforms.conf, the resulting event is truncated at 3925 characters. whereas the data that isn't modified by transforms.conf remains fine.

Please help

Thanks

kendrickt · ‎02-18-2015

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

View solution in original post

kendrickt · ‎02-18-2015

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

saurabh_tek11 · ‎12-19-2017

Thanks for sharing your finding

Using Transforms.conf truncates my data at 3925 characters - Why?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash