Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I unable to parse logs that are bigger than 10 KB in size?

PCIIT
New Member
‎11-12-2018 10:57 AM

Hi All ,

We are using Splunk 6.6.6 version. Whenever we run a query with the log size of each event more than 10 KB in size, we are unable to parse it. We analyzed our search.log and found the following warnings.

11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_hour is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_mday is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_minute is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_month is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_second is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_wday is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_year is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_zone is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - host is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - index is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - linecount is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - punct is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - source is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - sourcetype is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - splunk_server is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - splunk_server_group is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - timeendpos is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - timestartpos is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - buildRegexList provided empty conf key, ignoring.
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_hour is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.475 WARN  SearchOperator:kv - date_mday is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_minute is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_month is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_second is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_wday is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_year is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - date_zone is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - host is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - index is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - linecount is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - punct is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - source is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - sourcetype is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - splunk_server is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - splunk_server_group is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - timeendpos is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.476 WARN  SearchOperator:kv - timestartpos is an indexed field, ignoring TOKENIZER
11-12-2018 17:38:11.478 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.478 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.478 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.478 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.479 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.479 INFO  UserManager - Unwound user context: admin -> NULL
11-12-2018 17:38:11.480 INFO  UserManager - Unwound user context: admin -> NULL
Tags (2)
0 Karma
Reply

pruthvikrishnap
Contributor
‎11-13-2018 03:41 PM

I Think its not the issue with event size, below setting is always set to default unless you specify, which controls the event size.sendEventMaxSize =
* The maximum size, in bytes, that an fschange event can be for the input to
send the full event to be indexed.
* Limits the size of event data that the fschange input sends.
* This limits the size of indexed file data.
* Default: -1 (unlimited).

0 Karma
Reply

pragycho
Loves-to-Learn
‎11-14-2018 10:33 AM

where need to set this value sendEventMaxSize ?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-12-2018 03:05 PM

Those messages are unrelated.

You can change the limit of how much raw data autokv uses in limits.conf:

[kv]
maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Default: 10240 characters
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-14-2018 01:06 PM

Are your events 50mb in size, or is your file containing many events 50mb in size? The maxchars setting applies to event size, not file size.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2018 09:16 AM

That depends on your data.

0 Karma
Reply

pragycho
Loves-to-Learn
‎11-14-2018 10:25 AM

using 2 log file and total size is 50000 KB . what is ideal value for [kv] ?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-13-2018 01:03 AM

10240 is the default, not going to change anything by setting that.

0 Karma
Reply

PCIIT
New Member
‎11-13-2018 08:21 AM

could you please suggest me ?what is correct value need to set ?
[kv]
maxchars = 20480 --->ok or need to set high value

0 Karma
Reply

PCIIT
New Member
‎11-12-2018 09:12 PM

i added in limit.conf
[kv]
maxchars = 10240

but still same issue

0 Karma
Reply

PCIIT
New Member
‎11-12-2018 09:13 PM

what is maximum value for maxchars ?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...