We are noticing some of the log entries which are getting truncated. we are using the log4j sourcetype.
actual log entry looks like below, however several times we will only see first two lines and line starting with Title: onwards will be truncated. Any ideas how to fix it.
Splunk and forwarder both are 5.0.3
2013-12-10 10:11:27,986 INFO [something.here] 🙂 Transfer successful! Bytes: 508,174,896, ET: 0:00:12.604
Title: ABCD - 11/23/12 EFGH - Something HERE - username (00:11:48;00 - 00:12:22;00)
if the events are truncated in the middle of the line, it can be that your application has a write buffer.
See the setting time_before_close in inputs.conf
after testing with sample, the issue can be also an event line breaking
please try with this custom log4j sourcetype in props.conf
Ok...and do you see any specific pattern from which the events are truncated? May be after a timestamp like field? Would be great if you can provide some example of truncated event and corresponding full event.
I do not have any custom props and transforms. The only thing we have defined is local inputs.conf. we are using predefined sourcetype - http://docs.splunk.com/Documentation/Splunk/5.0.3/Data/Listofpretrainedsourcetypes
host_segment = 5
sourcetype = log4j
index = myIndex
disabled = false