that's the detail. The same happens to me with an F5 ASM

For syslog-udp there is a maximum possible size that the messages can be in the way they are transmitted over the network. Splunk cannot help here.
For syslog-tcp, splunk does not even know that it is accepting syslog when accepting the data. There is nothing in splunk that truncates lines other than the TRUNCATE setting described by MuS, which defaults to 10KB.

Hi jrodman
I tried also with syslog via TCP / 514, and also truncated, that's normal?
I am what I am doing from ironport wsa

You can only choose syslog for text-based logs.

The Syslog Push method sends log messages to a remote syslog server on port 514. This method conforms to RFC 3164.

Maximum message size is configurable on the WSA

You can increase the maximum message size on a log subscription in the WSA. It defaults to 1024. 

When you choose this method, you must enter the following information:

• Syslog server hostname
• Protocol to use for transmission, either UDP or TCP
• Maximum message size

  Valid values for UDP are 1024 to 9216.

  Valid values for TCP are 1024 to 65535.

  Maximum message size depends on the syslog server configuration.

• Facility to use with the log

I think this really is a question for Cisco/Ironport. How can the device be configured to produce its data in a complete way?

Syslog-ng can transport much longer events; up to 8K I believe but the syslog shipped with most linux and UNIX distributions can't, even when using a tcp transport.

Yeah i think the typical syslog follows the recommended max length specification. Oops, I forgot.

Hi gpradeepkumarreddy
Thanks for your answer, I have understood that 1 character = 1 byte approx.
However, the lines are approximately 1500 characters, yet are cut, switch to 0 and continue slashing. Have something to do it syslog 514/udp?