Solved: How to increase 'Crash log' size?

jawaharas · ‎07-09-2019

Splunk instance crashed with incomplete crash file (crash.log*) under $SPLUNK_HOME/splunk/var/log/splunk/.

The crash log file is seems truncated with below error and so, it's not useful for troubleshooting.
Crash log has overflowed the allowed limit (512kB), truncated

How to increase crash log file size? Any help is welcome one. Thanks.

jawaharas · ‎09-09-2019

Let me answer to my own question with the inputs from Splunk support.

512kb limit for crash log is hardcoded in Splunk crash dump creation code. It is a pretty reasonable size and captures the necessary information.

Some crashes, like ones from a search process, may contain the last lines from the search.log and could get cut off. The setting itself is NOT configurable unfortunately.

View solution in original post

jawaharas · ‎09-09-2019

Let me answer to my own question with the inputs from Splunk support.

512kb limit for crash log is hardcoded in Splunk crash dump creation code. It is a pretty reasonable size and captures the necessary information.

Some crashes, like ones from a search process, may contain the last lines from the search.log and could get cut off. The setting itself is NOT configurable unfortunately.

jaime_ramirez · ‎08-05-2019

For some of the log inputs you can change the default settings in the $SPLUNK_HOME/etc/log.cfg file. Although for the crash log I havent found anything yet.

Have you tried contacting Splunk support on this issue?

jawaharas · ‎08-05-2019

I haven't. I will raise a Splunk support case and update here if I found solution. Cheers.

How to increase 'Crash log' size?

audit

error

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7