Splunk Search

How to prevent data truncation in TABLE command?

pkurt
Path Finder

Hi All,

I have a data truncation problem. I have a long event that is >10,000 characters. I updated the props.conf TRUNCATE field to 100,000 and this works great to view full event. However, when I want to dump data in an organized format with TABLE command it still limits me to 10,000 characters.

Specifically, I have a search command like this:

{base search} | table key1, key2, key3, ...

{base search} displays more than 10,000 characters if I run it by itself because I changed TRUNCATE in props.conf. But when I add "| table" then table thinks that I am only giving it 10,000 characters. So some output keys in the table are broken.

Is there a different property I can update in props.conf to fix this problem?

0 Karma
1 Solution

pkurt
Path Finder
0 Karma

pkurt
Path Finder
0 Karma

pkurt
Path Finder

I followed the instructions given in this link for the truncated results:
http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Table

My limit.conf file has "truncate_report=FALSE" as default. I changed it to "0". It gave still truncated results...
I also tried setting it to "1" in order to make max_count to be effective, but it did not work either. I also tried "fields" instead of "table" function but it still returns truncated results.

I would appreciate any further help. Thanks!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...