Solved: How to increase 'Crash log' size?

jawaharas · ‎07-09-2019

Splunk instance crashed with incomplete crash file (crash.log*) under $SPLUNK_HOME/splunk/var/log/splunk/.

The crash log file is seems truncated with below error and so, it's not useful for troubleshooting.
Crash log has overflowed the allowed limit (512kB), truncated

How to increase crash log file size? Any help is welcome one. Thanks.

jawaharas · ‎09-09-2019

Let me answer to my own question with the inputs from Splunk support.

512kb limit for crash log is hardcoded in Splunk crash dump creation code. It is a pretty reasonable size and captures the necessary information.

Some crashes, like ones from a search process, may contain the last lines from the search.log and could get cut off. The setting itself is NOT configurable unfortunately.

View solution in original post

jawaharas · ‎09-09-2019

Let me answer to my own question with the inputs from Splunk support.

512kb limit for crash log is hardcoded in Splunk crash dump creation code. It is a pretty reasonable size and captures the necessary information.

Some crashes, like ones from a search process, may contain the last lines from the search.log and could get cut off. The setting itself is NOT configurable unfortunately.

jaime_ramirez · ‎08-05-2019

For some of the log inputs you can change the default settings in the $SPLUNK_HOME/etc/log.cfg file. Although for the crash log I havent found anything yet.

Have you tried contacting Splunk support on this issue?

jawaharas · ‎08-05-2019

I haven't. I will raise a Splunk support case and update here if I found solution. Cheers.

How to increase 'Crash log' size?

audit

error

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation