Like many questions I've seen here, anything sent via TCP/UDP is being cut off after 10K.
I have a simple app deployed to clients. My inputs.conf has a stanza for a script, and it's to run a program that will (at the end) send JSON data back via TCP. I figured this was better than monitoring an output file. This file is between 40 to 50K. Per suggestions, I created a props.conf in my ./myapp/local.
[tcp://515]
truncate = 100000
Or perhaps I've understood how to implement props.conf correctly. I restarted the Splunk service after making this change, sent the data again, and it's cut off at 10K.
how much increased to? Please note 10K is "bytes" and not characters.
Try putting it as "0" and try
Also I believe if it is json, don't use just bytes, but use something like..
[tcp://515]
KV_MODE = json
LINE_BREAKER = "(^){"
NO_BINARY_CHECK = 1
TRUNCATE = 0
SHOULD_LINEMERGE = false