Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you tweak Splunk to display an event that is more than 500 lines long?

maverick
Splunk Employee
Splunk Employee
‎03-04-2010 03:20 PM

I'm getting an error in Splunk GUI that says my events are exceeding a 500 max limit. How do you tweak Splunk to display an event that is more than 500 lines long?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎03-11-2010 08:25 AM

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

View solution in original post

Reply
Solved! Jump to solution

splunkdevabhi
Explorer
‎10-10-2018 11:19 PM

Adding TRUNCATE Value while Indexing the logs

0 Karma
Reply
Solved! Jump to solution

bfaber
Communicator
‎10-13-2010 01:04 AM

Is there new answer for 4.1.x? This seems dated.

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎03-11-2010 08:25 AM

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎03-10-2010 12:02 AM

I generated a 1000 line long Lorem Ipsum event and fed it to Splunk.
I then added "600" to the flashtimeline view options and made it the default, True

Neither "All" nor "600" showed more than 500 lines. Here is a snippet of said omission.

Proin sollicitudin facilisis ipsum, eget egestas mauris cursus at. ... 207 lines omitted ... Sed eleifend tellus sit amet velit pharetra at dapibus lorem tristique.

There is a known issue with 500+ lines in an entry but it appears to be unrelated as the above happens before collapsing back:

If you expand the view of a large event to the full event and back again to the summary view, subsequent attempts to expand to view the entire event will be restricted to 500 lines. (SPL-27109)

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...