I have json data that can vary greatly in size with the timestamp field coming at the end of each event. I'm able to parse all the timestamps correctly using the config TIMEPREFIX="timestamp":+ except for the events that are very large. My question is, in order to parse the timestamp for the very large events, do I need to add a MAXTIMESTAMPLOOKAHEAD? Or if I added a larger TRUNCATE would the TIMEPREFIX config still need the MAXTIMESTAMPLOOKAHEAD?
The MAX_TIMESTAMP_LOOKAHEAD settings starts at TIME_PREFIX so changing it won't help. It's likely you're running into your TRUNCATE limit. Try increasing that after you make sure events are breaking correctly.
--- If this reply helps you, an upvote would be appreciated.
As @richgalloway rightly pointed, you should look into increasing the value of TRUNCATE (Defaults to 10,000). Splunk logs it's complain regarding the truncate issues in splunkd.log inside $SPLUNK_HOME/var/log/splunk. You can check it, to make sure you're facing the same issue.