Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I find events causing LineBreakingProcessor Warning?

dwoltil
Engager
‎04-05-2012 05:09 PM

I am getting over 1,000 of theses warnings in the splunkd.log every minute on one of our indexers.
We are on version 4.3.1 build 119532

WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 23824
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 33824
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 31056
...etc

I know I can edit props.conf to change the truncate setting (http://splunk-base.splunk.com/answers/41648/linebreakingprocessor-truncating-line-because-limit-of-1...) but I want to find what events are causing these warning so I can make sure the sender is not incorrectly configured or sending junk data.

How can I identify these extremely long events?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎04-05-2012 05:56 PM

Dwoltil,

Here are two methods:

The search above should return the events that are 10000 bytes long or rather, the ones that will hit the default TRUNCATE limit. Instead of the equal sign after size, you can instead use the greater than or less than character if you prefer to fine tune what you are looking for.

Best,

Sean

View solution in original post

Reply
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎04-05-2012 05:56 PM

Dwoltil,

Here are two methods:

The search above should return the events that are 10000 bytes long or rather, the ones that will hit the default TRUNCATE limit. Instead of the equal sign after size, you can instead use the greater than or less than character if you prefer to fine tune what you are looking for.

Best,

Sean

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...