Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Audit Log Truncate

DanielAmlung
Path Finder
‎06-05-2024 05:51 AM

Hi,

since a couple of days i getting these errors from one of my search heads:

"06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11513 - data_source="/opt/splunk/var/log/splunk/audit.log", data_host="XXX", data_sourcetype="splunk_audit""

As far as i understood, i can set truncate value within the props.conf to a higher value. I just want to understand, why internal logs exceeds the line length. Can someone point me in the right direction why the audit logs exceeds this limit?

thanks

Labels (1)
Labels
0 Karma
Reply

DanielAmlung
Path Finder
‎06-05-2024 08:04 AM

"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"

Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 10:24 AM

Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype.  For log messages that glob together several pieces of information at run-time (like many audit events), the true size of the event won't be known in advance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 07:53 AM

The audit log exceeds the limit because Splunk wrote a very long event to the log.  Why that happened is impossible to say without knowing more about the event itself.

Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"  If so, I don't disagree, but prefer Splunk give me the option (by increasing TRUNCATE) to log all of the event rather than cut off what might otherwise be important data.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...