Splunk Search

Splunk 轉發到 Syslog 的事件, 長度被限制在 1024 bytes

mchang_splunk
Splunk Employee
Splunk Employee

透過Splunk 將已經索引的事件轉發到syslog時,超過1024 bytes的部分會被截斷
請問有何方法解決?

目前使用的版本是 6.1.2

original answer:
https://answers.splunk.com/answers/172761/syslog-forwarding-to-3rd-party-how-do-i-prevent-ev.html

Tags (2)
0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

這是因為RFC-3164的限制,在 Splunk 6.2 之後已經依據RFC-5424修正,可以轉發超過1024 bytes的事件了。(SPL-88144)

另外要注意的是在outputs.conf 新增了 maxEventSize 參數,預設值仍為1024,請適當的增加這個值:

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

maxEventSize = (integer)
If specified, sets the maximum size of an event that splunk will transmit.
All events excedding this size will be truncated.
* Defaults to 1024 bytes.

Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...