Hi,
I recently came across this warning on Splunk web and was just wondering if anyone else has encountered this before and how to go about solving it?
The warning is as follows:
"Events are not displayed in the search results because _raw fields exceed the limit of 16777216 characters. Ensure that _raw fields are below the given character limit or switch to the CSV serialization format by setting 'results_serial_format=csv' in limits.conf. Switching to the CSV serialization....."
Any input is greatly appreciated and thank you in advance.
Mikhael
Did you find any solution for this, i also see this error on UI
@mohdmikhael For me it looks like that the affected event(s) are not splitted correctly.
Have you already verified what kind of data ist affected?
Regarding event breaking in Splunk: Configure event line breaking - Splunk Documentation