I'm using an UDP connection with syslog and Splunk.
My problem is that Splunk only show me the firsts 2072 characters of a log. I try to increase the values of "TRUNCATE" and "MAX_EVENTS" inside the props.conf, but it didn't work.
Also I checked with Wireshark that the logs are sended correctly with syslog.
Not sure if this will help, but did you try setting TRUNCATE = 0? Also, you should keep in mind that MAXEVENTS only take affect if SHOULDLINEMERGE = true.
I was told that Splunk's syslog implementation is 'RFC compliant' so that it only accepts the first 1KB of a syslog message. Maybe you are running into something related to that limitation?
View solution in original post