Solved: Why are not all application logs getting forwarded...

Sriram · ‎05-10-2017

I have sporadic issues where not all the logs from application logs are getting forwarded to Splunk. I see gaps in logs when i search in Splunk.

(a) Is Splunk slow catching up with high log volume generated by application? If so, how can i prevent this?
(b) Could long XML or binary data in the logs cause some of these issues?

Appreciate your feed back.

aakwah · ‎05-11-2017

Hello,

I believe that long log lines are truncated due to TRUNCATE parameter in props.conf, have a look in /opt/splunk/var/log/splunk/splunkd.log to confirm.

To disable truncation

[App_Sourcetype]
TRUNCATE = 0

As per Splunk docs:

TRUNCATE =
Change the default maximum line length (in bytes).
Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
Defaults to 10000 bytes.

Regards,
Ahmed

View solution in original post

aakwah · ‎05-11-2017

Hello,

I believe that long log lines are truncated due to TRUNCATE parameter in props.conf, have a look in /opt/splunk/var/log/splunk/splunkd.log to confirm.

To disable truncation

[App_Sourcetype]
TRUNCATE = 0

As per Splunk docs:

TRUNCATE =
Change the default maximum line length (in bytes).
Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
Defaults to 10000 bytes.

Regards,
Ahmed

Why are not all application logs getting forwarded to Splunk?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!