I'm pulling in events from the journal of a number of Linux hosts using the journald modular input.
I'm seeing truncated events every so often and, when I look at the length of _raw, I see that it's always 4088 bytes.
The man page for journalctl (https://www.freedesktop.org/software/systemd/man/journalctl.html) says that when events are outputted using JSON format, that "Fields larger than 4096 bytes are encoded as null values. (This may be turned off by passing --all, but be aware that this may allocate overly long JSON objects.)"
I'm presuming that that's what happening with the truncated events that I'm seeing. Is anyone aware of a way around this? I can't see any configuration setting associated with the journald modular input that would let me enable the '--all' flag.
FWIW, I'm running Splunk Enterprise 9.0.2