Hi All,
I have a log with 3 event inside of it, ( you can see it on the screenshot, I paste the sample logs here : https://regex101.com/r/EvmMeR/1
I manage to DROP the 3rd event by finding the LOGS that are greater than 2000 characters.
The problem is , I dropped the event but Splunk still raise the issue:
11-24-2021 08:02:57.049 +0000 WARN LineBreakingProcessor [6453 parsing] - Truncating line because limit of 2000 bytes has been exceeded with a line length >= 55179 - data_source="SAMPLETOSHARE.txt", data_host="5bfd55dbdcdd", data_sourcetype="sample"
Is there a way to stop splunk from flagging issue for those logs that was dropped ?
Line breaking happens before any transforms that might discard events so the log message has already been written by the time the event is dropped. There's no way to avoid that, except by using a third-party tool like Cribl to discard events before they reach the indexer.
Line breaking happens before any transforms that might discard events so the log message has already been written by the time the event is dropped. There's no way to avoid that, except by using a third-party tool like Cribl to discard events before they reach the indexer.
Thanks @richgalloway