Splunk Search

How do you tweak Splunk to display an event that is more than 500 lines long?

maverick
Splunk Employee
Splunk Employee

I'm getting an error in Splunk GUI that says my events are exceeding a 500 max limit. How do you tweak Splunk to display an event that is more than 500 lines long?

Tags (3)
1 Solution

jrodman
Splunk Employee
Splunk Employee

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

View solution in original post

splunkdevabhi
Explorer

Adding TRUNCATE Value while Indexing the logs

0 Karma

bfaber
Communicator

Is there new answer for 4.1.x? This seems dated.

0 Karma

jrodman
Splunk Employee
Splunk Employee

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

bwooden
Splunk Employee
Splunk Employee

I generated a 1000 line long Lorem Ipsum event and fed it to Splunk.
I then added "600" to the flashtimeline view options and made it the default, True

Neither "All" nor "600" showed more than 500 lines. Here is a snippet of said omission.

Proin sollicitudin facilisis ipsum, eget egestas mauris cursus at. ... 207 lines omitted ... Sed eleifend tellus sit amet velit pharetra at dapibus lorem tristique.

There is a known issue with 500+ lines in an entry but it appears to be unrelated as the above happens before collapsing back:

If you expand the view of a large event to the full event and back again to the summary view, subsequent attempts to expand to view the entire event will be restricted to 500 lines. (SPL-27109)

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...