How to change the default linecount for "search" f...

genesiusj · ‎10-21-2022

Hello,

Quick question.
How do I change the default number of lines to return in search? Is there a setting in limits.conf?

index=_audit action=search AND search!=*_internal* AND search!=*_audit* AND user="user1"

The linecount max is 128. My larger search values return with ...(truncated)', autojo... in the _raw.

Thanks in advance and God bless.

johnhuang · ‎10-21-2022

It's either the truncate or max_events setting in props.conf. Check the char length of the truncated event to rule it out:

| eval char_length=LEN(_raw)

https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf

# Use the following settings to define the length of a line.

TRUNCATE = <non-negative integer>
* The default maximum line length, in bytes.
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often
a sign of garbage data).
* Default: 10000

How to change the default linecount for "search" from index=_audit?

using Splunk Enterprise

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

How to change the default linecount for "search" from index=_audit?

using Splunk Enterprise

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI