Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there character limits in previous Splunk version?

xRusty9
Explorer
‎11-13-2022 10:40 PM

Hi, 

May I check whether is there character limits when sending data to Splunk? Is there 10000 limit on Splunk Enterprise version 8.0.5?

 

Thanks!

Labels (2)
0 Karma
Reply

xRusty9
Explorer
‎11-14-2022 09:37 PM

I do see that props.conf have a few TRUNCATE setting. Do I change all of them so that longer message can be loaded in Splunk? or I change the default, splunkd, and KVstore will do?

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-13-2022 11:04 PM

Hi @xRusty9 

Defult is 10k , for all for splunk versions,  this value present in $Splunk_Home/etc/system/default/props.conf

if you wante to increase the limit please update in local directory 

TRUNCATE = <non-negative integer>
* The default maximum line length, in bytes.
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often
  a sign of garbage data).
* Default: 10000

 

this can be based on source or sourcetype or host in props.conf 
ex:

[host::small_events]
TRUNCATE = 256

---
If this reply helps you, an upvote/Karma would be appreciated.

0 Karma
Reply

xRusty9
Explorer
‎11-13-2022 11:14 PM

Hi, thanks for the reply. I am using the latest version(9.0.1) and the older version(8.0.5), and 9.0.1 able to send more than 10k of data without changing the configuration. Whereas 8.0.5 truncate around 10k. 

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-14-2022 12:31 AM

Hi @xRusty9 

Can you following command from splunk bin directory  on both 9.0.1 and 8.0.5  servers to check any local configuration that updated?

 

./splunk btool props list --debug | grep -i TRUNCATE

 

Reply

xRusty9
Explorer
‎11-14-2022 09:37 PM

Hi @SanjayReddy ,

I do see that props.conf have a few TRUNCATE setting. Do I change all of them so that longer message can be loaded in Splunk? or I change the default, splunkd, and KVstore will do?

 

Just to update:

I tried to add the following under the $Splunk_Home/etc/system/default/props.conf, the truncate didnt happen in version 9.0.5. 

[host::127.0.0.1:8088]
TRUNCATE = 256

 

My data came in via HEC.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-19-2022 11:03 PM

Hi @xRusty9 

remove port from header and save it

check if that is working?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...