Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Audit Log Truncate

DanielAmlung
Path Finder
‎06-05-2024 05:51 AM

Hi,

since a couple of days i getting these errors from one of my search heads:

"06-05-2024 14:33:35.300 +0200 WARN LineBreakingProcessor [3959599 parsing] - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11513 - data_source="/opt/splunk/var/log/splunk/audit.log", data_host="XXX", data_sourcetype="splunk_audit""

As far as i understood, i can set truncate value within the props.conf to a higher value. I just want to understand, why internal logs exceeds the line length. Can someone point me in the right direction why the audit logs exceeds this limit?

thanks

Labels (1)
Labels
0 Karma
Reply

DanielAmlung
Path Finder
‎06-05-2024 08:04 AM

"Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"

Yes - that would be my question. I assume splunk should know that it would exceed some length. So i dont get why there is a "limit" for internal logs. But yeah, that question has no real "this" or "that". Thanks for the reply

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 10:24 AM

Ideally, Splunk would know it's creating an event that's too large and modify TRUNCATE accordingly for that sourcetype.  For log messages that glob together several pieces of information at run-time (like many audit events), the true size of the event won't be known in advance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-05-2024 07:53 AM

The audit log exceeds the limit because Splunk wrote a very long event to the log.  Why that happened is impossible to say without knowing more about the event itself.

Or is the question more like "shouldn't Splunk never write events longer than 10,000 characters?"  If so, I don't disagree, but prefer Splunk give me the option (by increasing TRUNCATE) to log all of the event rather than cut off what might otherwise be important data.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...