Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is my JSON format log getting truncated?

pdantuuri0411
Explorer
‎09-12-2018 08:52 AM

I have a log which has a JSON format line in the middle. Splunk is extracting the log but is truncating the JSON part to 26 lines. How do I get the full log without Splunk truncating the JSON lines?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎09-12-2018 03:02 PM

Hi pdantuuri0411,

without seeing a sample event, my guess is that Splunk sees one of the values in the JSON as an epoch timestamp. Have a read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking and configure the line breaking according.

Hope this helps ...

cheers, MuS

0 Karma
Reply

KailA
Contributor
‎09-12-2018 12:54 PM

Splunk truncateS an event after 10 000 characters, if you want to add more characters to a single event, you should modify your sourcetype in props.conf and add TRUNCATE = <integer>
That should be enough.

KailA

Reply

yarick
Path Finder
‎09-12-2018 12:12 PM

MAX_EVENTS = <integer> Specifies the maximum number of input lines that Splunk software adds to any event. The software breaks the event after it reads the specified number of lines. 256 lines

REF. https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-12-2018 09:46 AM

Hi @pdanturri0411,

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...