Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing max length of field

sc0tt
Builder
‎05-20-2014 04:37 AM

I have a field that is more than 10,000 characters. I updated props.conf to include

[source::log.txt]
TRUNCATE=20000

Splunk now indexes the entire event, but the content of the long field is being ignored when doing a search. For example search | eval l = len(long_field) returns a length of 1. Where can I change the max length of a field?

Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

View solution in original post

Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:55 AM

Shorter fields work as expected. For example, if I count the field length for all events the max length is 9996; all the fields with a known length greater than 10,000 show as a length of 1. So it is clearly being limited to 10,000 somewhere.

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-20-2014 04:50 AM

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.
Reply
Solved! Jump to solution

jiaminyun
Path Finder
‎02-19-2021 02:24 AM

How many bytes does a character take

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 05:12 AM

Thanks! That did it. I created a limits.conf file with maxchars = 20000 and it seems to be working as expected. Any known issues with increasing this value even higher? I'm seeing that some events have length > 19000.

0 Karma
Reply
Solved! Jump to solution

pbankar
Path Finder
‎12-11-2019 10:57 PM

Hey @Ayn, is there any limit for the same?

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:49 AM

Do shorter fields with the same format work like it should? Or might this be an issue with the extraction itself?

0 Karma
Reply
Solved! Jump to solution

sc0tt
Builder
‎05-20-2014 04:44 AM

It's a space delimited field (field=" value1 value2 value3 value4 value5 value6..etc), so just using default Splunk extraction; nothing special is being applied to the file.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎05-20-2014 04:39 AM

How is long_field extracted?

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...