Re: Splunk stream

Vadim_Peskov · ‎11-27-2023

Hi!
We use Splunk Stream 7.3.0. When receiving an event in a log longer than 1000000 characters, Splunk cuts it. Event in json format. Tell me what settings should be applied in Splunk Stream so that Splunk parses the data correctly.
Thanks!

_JP · ‎11-27-2023

IIRC Splunk Stream doesn't have truncation settings and this ends up being caught by the truncation settings for your sourcetype within props.conf. Can you share what your stanza is for your sourcetype? Is TRUNCATE=1000000? You might need to change to TRUNCATE=0 to force Splunk to include all of the event.

Vadim_Peskov · ‎11-28-2023

[stream:ip]
TRUNCATE = 0

did not help.
Any other suggestions?

_JP · ‎11-29-2023

Did you see any change in the data being ingested when you made the TRUNCATE value change? Also, if you change it to something specific to test it, like 10237. Does that limit it to 10237 bytes? This is mainly just to see if this particular TRUNCATE setting is what is limiting your data, and maybe we can help rule it out as the culprit so we know to dig further.

Vadim_Peskov · ‎11-27-2023

now in props.conf
[stream:ip]
TRUNCATE = 100000
I will change to 0, I will check, I will return with the answer

Splunk stream

administration

configuration

troubleshooting

using Splunk Enterprise

Machine Learning - Assisted Adaptive Thresholding

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

Are you a member of the Splunk Community?