Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing max length of field

sc0tt
Builder
‎05-20-2014 04:37 AM

I have a field that is more than 10,000 characters. I updated props.conf to include

[source::log.txt]
TRUNCATE=20000

Splunk now indexes the entire event, but the content of the long field is being ignored when doing a search. For example search | eval l = len(long_field) returns a length of 1. Where can I change the max length of a field?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

View solution in original post

Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:55 AM

Shorter fields work as expected. For example, if I count the field length for all events the max length is 9996; all the fields with a known length greater than 10,000 show as a length of 1. So it is clearly being limited to 10,000 somewhere.

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.
Reply
Solved! Jump to solution

jiaminyun
Path Finder
‎02-19-2021 02:24 AM

How many bytes does a character take

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 05:12 AM

Thanks! That did it. I created a limits.conf file with maxchars = 20000 and it seems to be working as expected. Any known issues with increasing this value even higher? I'm seeing that some events have length > 19000.

0 Karma
Reply
Solved! Jump to solution

pbankar
Path Finder
‎12-11-2019 10:57 PM

Hey @Ayn, is there any limit for the same?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:49 AM

Do shorter fields with the same format work like it should? Or might this be an issue with the extraction itself?

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:44 AM

It's a space delimited field (field=" value1 value2 value3 value4 value5 value6..etc), so just using default Splunk extraction; nothing special is being applied to the file.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:39 AM

How is long_field extracted?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top