Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Audit Log Truncate

DanielAmlung
Path Finder
‎06-05-2024 05:51 AM

Hi,

since a couple of days i getting these errors from one of my search heads:

"06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11513 - data_source="/opt/splunk/var/log/splunk/audit.log", data_host="XXX", data_sourcetype="splunk_audit""

As far as i understood, i can set truncate value within the props.conf to a higher value. I just want to understand, why internal logs exceeds the line length. Can someone point me in the right direction why the audit logs exceeds this limit?

thanks

Labels (1)
Labels
0 Karma
Reply

DanielAmlung
Path Finder
‎06-05-2024 08:04 AM

"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"

Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 10:24 AM

Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype.  For log messages that glob together several pieces of information at run-time (like many audit events), the true size of the event won't be known in advance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 07:53 AM

The audit log exceeds the limit because Splunk wrote a very long event to the log.  Why that happened is impossible to say without knowing more about the event itself.

Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"  If so, I don't disagree, but prefer Splunk give me the option (by increasing TRUNCATE) to log all of the event rather than cut off what might otherwise be important data.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...