Has anyone come across this warning below in Splun...

mohdmikhael · ‎01-19-2023

Hi,

I recently came across this warning on Splunk web and was just wondering if anyone else has encountered this before and how to go about solving it?

The warning is as follows:
"Events are not displayed in the search results because _raw fields exceed the limit of 16777216 characters. Ensure that _raw fields are below the given character limit or switch to the CSV serialization format by setting 'results_serial_format=csv' in limits.conf. Switching to the CSV serialization....."

Any input is greatly appreciated and thank you in advance.

Mikhael

kanggao · ‎01-27-2023

do you figure out the root cause? it also displayed in our Splunk UI.

rahulg · ‎01-27-2023

Did you find any solution for this, i also see this error on UI

PaulPanther · ‎01-20-2023

@mohdmikhael For me it looks like that the affected event(s) are not splitted correctly.

Have you already verified what kind of data ist affected?

Regarding event breaking in Splunk: Configure event line breaking - Splunk Documentation

Has anyone come across this warning below in Splunk Web?

fields

subsearch

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?