Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

WARN LineBreakingProcessor

jadengoho
Builder
‎11-24-2021 12:06 AM

Hi All, 
I have a log with 3 event inside of it, ( you can see it on the screenshot, I paste the sample logs here : https://regex101.com/r/EvmMeR/1

  • 1st Event -  Short event 
  • 2nd Event - Short event and multi-line
  • 3rd Event - VERY LONG and multi-line, need to be dropped as per the client.

jadengoho_0-1637740603378.png

I manage to DROP the 3rd event by finding the LOGS that are greater than 2000 characters.

The problem is , I dropped the event but Splunk still raise the issue:
11-24-2021 08:02:57.049 +0000 WARN LineBreakingProcessor [6453 parsing] - Truncating line because limit of 2000 bytes has been exceeded with a line length >= 55179 - data_source="SAMPLETOSHARE.txt", data_host="5bfd55dbdcdd", data_sourcetype="sample"

jadengoho_1-1637740993087.png

 

Is there a way to stop splunk from flagging issue for those logs that  was dropped ? 

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 06:08 AM

Line breaking happens before any transforms that might discard events so the log message has already been written by the time the event is dropped.  There's no way to avoid that, except by using a third-party tool like Cribl to discard events before they reach the indexer.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2021 06:08 AM

Line breaking happens before any transforms that might discard events so the log message has already been written by the time the event is dropped.  There's no way to avoid that, except by using a third-party tool like Cribl to discard events before they reach the indexer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎11-24-2021 06:06 PM

Thanks @richgalloway 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...