Splunk Search

Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

mchang_splunk
Splunk Employee
Splunk Employee

透過Splunk 將已經索引的事件轉發到syslog時,超過1024 bytes的部分會被截斷
請問有何方法解決?

目前使用的版本是 6.1.2

original answer:
https://answers.splunk.com/answers/172761/syslog-forwarding-to-3rd-party-how-do-i-prevent-ev.html

Tags (2)
0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...