Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Would it be any issues for Splunk indexer/UF to handle this large size of TRUNCATE value or event size?

SplunkDash
Motivator
‎05-22-2022 12:46 PM

Hello,

I have a source file with a very large event size as I require to use TRUNCATE=1000000 in my props. Do you think....it would be any issue for SPLUNK indexer/UF to handle this large size of TRUNCATE value or event size? Are there any other alternatives if there are any issues? Any recommendation would be highly appreciated. Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
Ultra Champion
‎05-23-2022 11:32 AM

Not really. It could help a bit if you had indexed fields and you created and pushed them explicitly with HEC instead of having the HF/indexer parse them out but other than that there should be not much of a real difference. The search-time extractions are just that - performed at search time so they are performed at every time you search through your events.

View solution in original post

Reply
Solved! Jump to solution

PickleRick
Ultra Champion
‎05-22-2022 10:41 PM

I see at least two possible issues.

One is simply with displaying such bug events in UI. You might have performance problems rendering lists of events.

Second one is with indexing. You would either have big fields which would pump your index files up or have relatively small fields which would probably make Splunk have to go over many events just to parse and discard them from search which means very inefficient searching.

Remember that Splunk breaks your event into terms separated by delimiters and indexes those terms. Then if you're searching for key=value, Splunk checks for the value in its indexes and then if the index points to a specific event Splunk parses that event to see whether the location of the value within the event's content matches the field "key" definition. This process gets less efficient the more your search term occurs outside of your searched field. And with huge events I suppose the probability of this increases.

0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎05-23-2022 09:19 AM

Hello, 

Thank you so much for your quick reply and it makes sense to me. Do you think using REST API (instead of UF/HF pushes) in this ingestion would optimize the process? Thank you again.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
Ultra Champion
‎05-23-2022 11:32 AM

Not really. It could help a bit if you had indexed fields and you created and pushed them explicitly with HEC instead of having the HF/indexer parse them out but other than that there should be not much of a real difference. The search-time extractions are just that - performed at search time so they are performed at every time you search through your events.

Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...