Solved: Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

mchang_splunk · ‎11-26-2014

透過Splunk 將已經索引的事件轉發到syslog時，超過1024 bytes的部分會被截斷
請問有何方法解決？

目前使用的版本是 6.1.2

original answer:
https://answers.splunk.com/answers/172761/syslog-forwarding-to-3rd-party-how-do-i-prevent-ev.html

mchang_splunk · ‎11-26-2014

這是因為RFC-3164的限制，在 Splunk 6.2 之後已經依據RFC-5424修正，可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數，預設值仍為1024，請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

View solution in original post

mchang_splunk · ‎11-26-2014

這是因為RFC-3164的限制，在 Splunk 6.2 之後已經依據RFC-5424修正，可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數，預設值仍為1024，請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Are you a member of the Splunk Community?

Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

Can’t make it to .conf25? Join us online!

What Is Splunk? Here’s What You Can Do with Splunk

Level Up Your .conf25: Splunk Arcade Comes to Boston

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...