Re: Splunk stream

Vadim_Peskov · ‎11-27-2023

Hi!
We use Splunk Stream 7.3.0. When receiving an event in a log longer than 1000000 characters, Splunk cuts it. Event in json format. Tell me what settings should be applied in Splunk Stream so that Splunk parses the data correctly.
Thanks!

_JP · ‎11-27-2023

IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf. Can you share what your stanza is for your sourcetype? Is TRUNCATE=1000000? You might need to change to TRUNCATE=0 to force Splunk to include all of the event.

Vadim_Peskov · ‎11-28-2023

[stream:ip]
TRUNCATE = 0

did not help.
Any other suggestions?

_JP · ‎11-29-2023

Did you see any change in the data being ingested when you made the TRUNCATE value change? Also, if you change it to something specific to test it, like 10237. Does that limit it to 10237 bytes? This is mainly just to see if this particular TRUNCATE setting is what is limiting your data, and maybe we can help rule it out as the culprit so we know to dig further.

Vadim_Peskov · ‎11-27-2023

now in props.conf
[stream:ip]
TRUNCATE = 100000
I will change to 0, I will check, I will return with the answer

Splunk stream

administration

configuration

troubleshooting

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation