Solved: truncate logs with syslog

torbael · ‎05-02-2011

Hi,

I'm using an UDP connection with syslog and Splunk.

My problem is that Splunk only show me the firsts 2072 characters of a log. I try to increase the values of "TRUNCATE" and "MAX_EVENTS" inside the props.conf, but it didn't work.

Also I checked with Wireshark that the logs are sended correctly with syslog.

Any suggestions?

Thanks.

jaoui · ‎05-19-2011

I was told that Splunk's syslog implementation is 'RFC compliant' so that it only accepts the first 1KB of a syslog message. Maybe you are running into something related to that limitation?

View solution in original post

jaoui · ‎05-19-2011

I was told that Splunk's syslog implementation is 'RFC compliant' so that it only accepts the first 1KB of a syslog message. Maybe you are running into something related to that limitation?

jbsplunk · ‎05-02-2011

Not sure if this will help, but did you try setting TRUNCATE = 0? Also, you should keep in mind that MAX_EVENTS only take affect if SHOULD_LINEMERGE = true.

truncate logs with syslog

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

truncate logs with syslog

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!