Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing max length of field

sc0tt
Builder
‎05-20-2014 04:37 AM

I have a field that is more than 10,000 characters. I updated props.conf to include

[source::log.txt]
TRUNCATE=20000

Splunk now indexes the entire event, but the content of the long field is being ignored when doing a search. For example search | eval l = len(long_field) returns a length of 1. Where can I change the max length of a field?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

View solution in original post

Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:55 AM

Shorter fields work as expected. For example, if I count the field length for all events the max length is 9996; all the fields with a known length greater than 10,000 show as a length of 1. So it is clearly being limited to 10,000 somewhere.

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.
Reply
Solved! Jump to solution

jiaminyun
Path Finder
‎02-19-2021 02:24 AM

How many bytes does a character take

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 05:12 AM

Thanks! That did it. I created a limits.conf file with maxchars = 20000 and it seems to be working as expected. Any known issues with increasing this value even higher? I'm seeing that some events have length > 19000.

0 Karma
Reply
Solved! Jump to solution

pbankar
Path Finder
‎12-11-2019 10:57 PM

Hey @Ayn, is there any limit for the same?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:49 AM

Do shorter fields with the same format work like it should? Or might this be an issue with the extraction itself?

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:44 AM

It's a space delimited field (field=" value1 value2 value3 value4 value5 value6..etc), so just using default Splunk extraction; nothing special is being applied to the file.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:39 AM

How is long_field extracted?

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...