Getting Data In

Using Transforms.conf truncates my data at 3925 characters - Why?

kendrickt
Path Finder

Ladies and Gents,

I'm struggling trying to transform some of my data.

props.conf

[st1]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TRUNCATE = 0
TRANSFORMS-1 = t1, t2
BREAK_ONLY_BEFORE_DATE = false

transforms.conf

[t1]
REGEX = ^(.*)data(data I want to capture)data(.*)$
FORMAT = $1<newfield>$2</newfield>$3
DEST_KEY = _raw

[t2]
REGEX = ^(.*)different data(different data I want to capture)different data(.*)$
FORMAT = $1<newfield1>$2</newfield2>$3
DEST_KEY = _raw

There problem I have is when the data is passed to transforms.conf, the resulting event is truncated at 3925 characters. whereas the data that isn't modified by transforms.conf remains fine.

Please help

Thanks

1 Solution

kendrickt
Path Finder

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

View solution in original post

kendrickt
Path Finder

Just figured out the answer - Splunk was truncating at 4096 characters. So I added LOOKAHEAD = 20000 to my tranforms.conf and it works!

saurabh_tek11
Communicator

Thanks for sharing your finding

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...