Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there character limits in previous Splunk version?

xRusty9
Explorer
‎11-13-2022 10:40 PM

Hi, 

May I check whether is there character limits when sending data to Splunk? Is there 10000 limit on Splunk Enterprise version 8.0.5?

 

Thanks!

Labels (2)
0 Karma
Reply

xRusty9
Explorer
‎11-14-2022 09:37 PM

I do see that props.conf have a few TRUNCATE setting. Do I change all of them so that longer message can be loaded in Splunk? or I change the default, splunkd, and KVstore will do?

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-13-2022 11:04 PM

Hi @xRusty9 

Defult is 10k , for all for splunk versions,  this value present in $Splunk_Home/etc/system/default/props.conf

if you wante to increase the limit please update in local directory 

TRUNCATE = <non-negative integer>
* The default maximum line length, in bytes.
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often
  a sign of garbage data).
* Default: 10000

 

this can be based on source or sourcetype or host in props.conf 
ex:

[host::small_events]
TRUNCATE = 256

---
If this reply helps you, an upvote/Karma would be appreciated.

0 Karma
Reply

xRusty9
Explorer
‎11-13-2022 11:14 PM

Hi, thanks for the reply. I am using the latest version(9.0.1) and the older version(8.0.5), and 9.0.1 able to send more than 10k of data without changing the configuration. Whereas 8.0.5 truncate around 10k. 

 

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-14-2022 12:31 AM

Hi @xRusty9 

Can you following command from splunk bin directory  on both 9.0.1 and 8.0.5  servers to check any local configuration that updated?

 

./splunk btool props list --debug | grep -i TRUNCATE

 

Reply

xRusty9
Explorer
‎11-14-2022 09:37 PM

Hi @SanjayReddy ,

I do see that props.conf have a few TRUNCATE setting. Do I change all of them so that longer message can be loaded in Splunk? or I change the default, splunkd, and KVstore will do?

 

Just to update:

I tried to add the following under the $Splunk_Home/etc/system/default/props.conf, the truncate didnt happen in version 9.0.5. 

[host::127.0.0.1:8088]
TRUNCATE = 256

 

My data came in via HEC.

0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-19-2022 11:03 PM

Hi @xRusty9 

remove port from header and save it

check if that is working?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...