Solved: How to prevent data truncation in TABLE command?

pkurt · ‎08-14-2018

Hi All,

I have a data truncation problem. I have a long event that is >10,000 characters. I updated the props.conf TRUNCATE field to 100,000 and this works great to view full event. However, when I want to dump data in an organized format with TABLE command it still limits me to 10,000 characters.

Specifically, I have a search command like this:

{base search} | table key1, key2, key3, ...

{base search} displays more than 10,000 characters if I run it by itself because I changed TRUNCATE in props.conf. But when I add "| table" then table thinks that I am only giving it 10,000 characters. So some output keys in the table are broken.

Is there a different property I can update in props.conf to fix this problem?

pkurt · ‎08-14-2018

Solved the problem with the tips given in this post:
https://answers.splunk.com/answers/548885/is-there-a-limit-on-searchable-characters-in-an-ev.html

View solution in original post

pkurt · ‎08-14-2018

Solved the problem with the tips given in this post:
https://answers.splunk.com/answers/548885/is-there-a-limit-on-searchable-characters-in-an-ev.html

pkurt · ‎08-14-2018

I followed the instructions given in this link for the truncated results:
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Table

My limit.conf file has "truncate_report=FALSE" as default. I changed it to "0". It gave still truncated results...
I also tried setting it to "1" in order to make max_count to be effective, but it did not work either. I also tried "fields" instead of "table" function but it still returns truncated results.

I would appreciate any further help. Thanks!

How to prevent data truncation in TABLE command?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...