Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

LINE error in splunkd

a212830
Champion
‎04-22-2013 12:51 PM

Hi,

I'm getting the following errors in my splunkd.log:

04-22-2013 09:40:07.187 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded with a line length >= 40915 - data_sour
ce="F:\IBM\Lotus\Domino\Trace\stpolicy_130419_2323_1.txt", data_host="STENG01VWIN", data_sourcetype="STCommunityTraceLogs_policy"

So, two questions. These are events that can span multiple lines - should SHOULD_LINEMERGE be set to true? And is there a way to limit the number of lines per event? (And what's the max?)

Tags (1)
0 Karma
Reply

jharty_splunk
Splunk Employee
Splunk Employee
‎04-22-2013 01:00 PM

You may want to review the doc out here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents

Yes you can set SHOULD_LINEMERGE = true but you will also have to set an additional parameter to break the event (for example BREAK_ONLY_BEFORE_DATE). A more efficient way of doing is to sety SHOULD_LINEMERGE = false and is set LINE_BREAKER = REGEX

Also, to get around the error you have above increase your MAX_EVENTS setting to 50000 or above:

[yoursourcetypehere]
TRUNCATE = 0
MAX_EVENTS = 50000

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-22-2013 01:25 PM

Yes and No. In that order.

The linebreaking advice is correct, but TRUNCATE refers to the length of a line (default 10000, '0' means unlimited) and MAX_EVENTS refers to the maximum number of lines in a multiline event (default 256, I think).

See the docs of props.conf, or the link provided above.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...