Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to change max limit of event from 10000 bytes in Splunk Cloud ?

ajinkya0106aexp
New Member
‎12-17-2018 02:26 AM

How to change max limit of event from 10000 bytes in Splunk Cloud ?

Tags (2)
0 Karma
Reply

jherring_splunk
Splunk Employee
Splunk Employee
‎03-24-2020 11:41 PM

Best practice is to create an app, call it (your_company_name)_all_indexers or something to that effect, create a default subdirectory and in there populate an app.conf (requirement for Splunk Cloud in particular for versioning) and a props.conf. Splunk best practice is to create apps with the name of the authoring organization and the app's target component in the infrastructure (can be a Splunk tier, a particular source, etc etc). In this case I chose "all_indexers" as the target tier.

In the props.conf put the TRUNCATE=(some #>10000) in the stanzas you create per the Splunk documentation for props (Google Splunk props.conf.spec).

Then, submit it for distribution to your indexers from the cluster master.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎12-17-2018 03:55 AM

I guess you need to contact Splunk Support team to change this value in conf file directly for respective sourcetype.

0 Karma
Reply

adonio
Ultra Champion
‎12-17-2018 05:28 AM

indeed, contact your Cloud Support team.
if you can not, find out who in your organization has their name on the account

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...