- Find Answers
- :
- Splunk Platform
- :
- Splunk Cloud Platform
- :
- Splunk Cloud Event truncated after 10kb- Is there ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a Splunk Cloud trial instance. I am using a Sprint Boot application to make a simple HttpPost call to the HEC in Batch mode. The format of the event is JSON and I am not adding line breaks between two events.
Splunk is receiving the requests and adding them as events. However, each of my events is getting truncated and is not showing up as a well formed JSON. I can see that the entire event is not being added, and when I measured the size of each event, it was coming up to 10kb.
I then found this: https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking
Specifically, I think I'm being impacted by this:
The Splunk platform uses the LINE_BREAKER and TRUNCATE settings to evaluate and break events over 10kB into multiple lines of 10kB each.
Questions
1. Is there no way to send events to Splunk Cloud larger than 10 kb?
2. If it is indeed supported, what configuration do we need which can be performed via Splunk Web, since we don't have access to config files etc in Splunk Cloud? Is it something related to Source Types (Advanced config)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@murally you could increase the truncate limit to a higher number under sourcetype settings-->advanced.
Suppose, if you keep the number to 0 it means unlimited.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@murally you could increase the truncate limit to a higher number under sourcetype settings-->advanced.
Suppose, if you keep the number to 0 it means unlimited.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the time I could do that, my splunk trial expired 😞 But I'll keep this suggestion in mind for future. Thanks!
Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...
Preparing your Splunk Environment for OpenSSL3
Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector
