Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LINE error in splunkd

a212830
Champion
‎04-22-2013 12:51 PM

Hi,

I'm getting the following errors in my splunkd.log:

04-22-2013 09:40:07.187 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded with a line length >= 40915 - data_sour
ce="F:\IBM\Lotus\Domino\Trace\stpolicy_130419_2323_1.txt", data_host="STENG01VWIN", data_sourcetype="STCommunityTraceLogs_policy"

So, two questions. These are events that can span multiple lines - should SHOULD_LINEMERGE be set to true? And is there a way to limit the number of lines per event? (And what's the max?)

Tags (1)
0 Karma
Reply

jharty_splunk
Splunk Employee
Splunk Employee
‎04-22-2013 01:00 PM

You may want to review the doc out here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents

Yes you can set SHOULD_LINEMERGE = true but you will also have to set an additional parameter to break the event (for example BREAK_ONLY_BEFORE_DATE). A more efficient way of doing is to sety SHOULD_LINEMERGE = false and is set LINE_BREAKER = REGEX

Also, to get around the error you have above increase your MAX_EVENTS setting to 50000 or above:

[yoursourcetypehere]
TRUNCATE = 0
MAX_EVENTS = 50000

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 01:25 PM

Yes and No. In that order.

The linebreaking advice is correct, but TRUNCATE refers to the length of a line (default 10000, '0' means unlimited) and MAX_EVENTS refers to the maximum number of lines in a multiline event (default 256, I think).

See the docs of props.conf, or the link provided above.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...