Splunk Search

How do you tweak Splunk to display an event that is more than 500 lines long?

Splunk Employee
Splunk Employee

I'm getting an error in Splunk GUI that says my events are exceeding a 500 max limit. How do you tweak Splunk to display an event that is more than 500 lines long?

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

View solution in original post

Explorer

Adding TRUNCATE Value while Indexing the logs

0 Karma

Communicator

Is there new answer for 4.1.x? This seems dated.

0 Karma

Splunk Employee
Splunk Employee

The limit on the maximum displayed event size is property that you set on your events lister to say how long an event you're willing to display. There's a limit because if we allow a 50 meg event to get passed to the browser, the browser will crash, and possibly break the client system as well.

That there was no way to show events larger than this was filed as a defect, SPL-26880, and a method was implemented for 4.0.5 to provide it. There's a bit of goofy behavior in 4.0.x still, resolved in 4.1 (when it ships).

What was changed is the EventsViewer module now accepts a parameter maxLinesConstraint which controls where the ceiling is. The default is still 500. Here's an example of how to change the constraint for the timeline view.

made new directory etc/apps/search/local/data/ui/views
copied etc/apps/search/default/data/ui/flashtimeline.xml to etc/apps/search/local/data/ui/flashtlimeline.xml
Edited file as follows:

--- apps/search/default/data/ui/views/flashtimeline.xml 2009-10-16 02:34:49.000000000 -0700
+++ apps/search/local/data/ui/views/flashtimeline.xml 2009-10-16 17:18:27.000000000 -0700
@@ -125,6 +125,7 @@
                                 </param>

                                 <module name="EventsViewer" layoutPanel="resultsAreaLeft">
+                                  <param name="maxLinesConstraint">1000</param>
                                   <param name="segmentation">full</param>
                                   <param name="reportFieldLink">report_builder_format_report</param>
                                 </module>

Bwooden, the known issue you refer to is the behavior with this in place, in 4.0.5 through 4.0.10.

View solution in original post

Splunk Employee
Splunk Employee

I generated a 1000 line long Lorem Ipsum event and fed it to Splunk.
I then added "600" to the flashtimeline view options and made it the default, True

Neither "All" nor "600" showed more than 500 lines. Here is a snippet of said omission.

Proin sollicitudin facilisis ipsum, eget egestas mauris cursus at. ... 207 lines omitted ... Sed eleifend tellus sit amet velit pharetra at dapibus lorem tristique.

There is a known issue with 500+ lines in an entry but it appears to be unrelated as the above happens before collapsing back:

If you expand the view of a large event to the full event and back again to the summary view, subsequent attempts to expand to view the entire event will be restricted to 500 lines. (SPL-27109)