Getting Data In

Why are not all application logs getting forwarded to Splunk?

Communicator

I have sporadic issues where not all the logs from application logs are getting forwarded to Splunk. I see gaps in logs when i search in Splunk.

(a) Is Splunk slow catching up with high log volume generated by application? If so, how can i prevent this?
(b) Could long XML or binary data in the logs cause some of these issues?

Appreciate your feed back.

Tags (2)
0 Karma
1 Solution

Builder

Hello,

I believe that long log lines are truncated due to TRUNCATE parameter in props.conf, have a look in /opt/splunk/var/log/splunk/splunkd.log to confirm.

To disable truncation

[App_Sourcetype]
TRUNCATE = 0

As per Splunk docs:

TRUNCATE =
Change the default maximum line length (in bytes).
Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
Defaults to 10000 bytes.

Regards,
Ahmed

View solution in original post

0 Karma

Builder

Hello,

I believe that long log lines are truncated due to TRUNCATE parameter in props.conf, have a look in /opt/splunk/var/log/splunk/splunkd.log to confirm.

To disable truncation

[App_Sourcetype]
TRUNCATE = 0

As per Splunk docs:

TRUNCATE =
Change the default maximum line length (in bytes).
Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
Defaults to 10000 bytes.

Regards,
Ahmed

View solution in original post

0 Karma