Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

logs not complete

jadengoho
Builder
‎08-12-2018 09:06 PM

Hi ,
I am having trouble right now on why does the splunk log is not complete/cut , in the past few months logs are coming consistently complete.
but now it is cut shows only the header and no information.
alt text

it came from a server that monitor the logs,
Can somebody tell me why this happens ?
what to investigate ?
Also what is the solution for this problem?

-thanks in advance

Tags (1)
Preview file
16 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sudosplunk
Motivator
‎08-20-2018 11:06 AM

Looks like the line breaking issue is because there are no settings defined in props.conf and the default settings are not working properly for your data. Can you provide sample events (at least 2) and tell me what the event boundaries are.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-27-2018 06:13 PM

Thanks all for the help, adding props.conf helps the data to be completed,
Still not sure on why does the logs have been cut, but thank's it's working now.

0 Karma
Reply
Solved! Jump to solution

jadengoho
Builder
‎08-14-2018 04:51 PM

1) here is my configuratoin file :
Inputs:
[monitor:///var/log/backup]
disabled = 0
sourcetype = backup:mtx

there are no props and transforms set on the whole process.
Server(log)-universal forwarder > indexer > search head

2)Are the logs getting truncated by any chance?
- The logs are being cut off in that specific part,
there are chances that it would gave as a whole, but most of the time it is missing parts after the
"============Backup Summary============"
45% of the log it sent are being cut.
Still can't figure this out.

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-20-2018 08:07 AM

Does your data contain timestamps? I don't see any in your sample logs above, but I'm curious is there are timestamps in the missing portions of the data.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-17-2018 09:57 AM

I was under the impression that the logs are getting truncated after 10,000 character limit. But clearly thats not the case. Did you get a chance to look at the splunkd logs and see if you have any errors highlighted?

0 Karma
Reply
Solved! Jump to solution

brian_rampley
Path Finder
‎08-12-2018 11:44 PM

I would need to see your inputs.conf, props.conf, and transforms.conf for your particular input, but my first guess would be to investigate your settings in props.conf for your sourcetype.

0 Karma
Reply
Solved! Jump to solution

nadlurinadluri
Communicator
‎08-14-2018 03:51 PM

Are the logs getting truncated by any chance?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...