Splunk Search

Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

mchang_splunk
Splunk Employee
Splunk Employee

透過Splunk 將已經索引的事件轉發到syslog時,超過1024 bytes的部分會被截斷
請問有何方法解決?

目前使用的版本是 6.1.2

original answer:
https://answers.splunk.com/answers/172761/syslog-forwarding-to-3rd-party-how-do-i-prevent-ev.html

Tags (2)
0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...