Re: Splunk stream

Vadim_Peskov · ‎11-27-2023

Hi!
We use Splunk Stream 7.3.0. When receiving an event in a log longer than 1000000 characters, Splunk cuts it. Event in json format. Tell me what settings should be applied in Splunk Stream so that Splunk parses the data correctly.
Thanks!

_JP · ‎11-27-2023

IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf. Can you share what your stanza is for your sourcetype? Is TRUNCATE=1000000? You might need to change to TRUNCATE=0 to force Splunk to include all of the event.

Vadim_Peskov · ‎11-28-2023

[stream:ip]
TRUNCATE = 0

did not help.
Any other suggestions?

_JP · ‎11-29-2023

Did you see any change in the data being ingested when you made the TRUNCATE value change? Also, if you change it to something specific to test it, like 10237. Does that limit it to 10237 bytes? This is mainly just to see if this particular TRUNCATE setting is what is limiting your data, and maybe we can help rule it out as the culprit so we know to dig further.

Vadim_Peskov · ‎11-27-2023

now in props.conf
[stream:ip]
TRUNCATE = 100000
I will change to 0, I will check, I will return with the answer

Splunk stream

administration

configuration

troubleshooting

using Splunk Enterprise

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?