My log file contain a long line (35000 chars) with continuous spaces [more then 60 spaces] multiple times inside the log - I can't see this log information in Splunk.
I can't change the log because its coming from 3rd party tool
Any Idea?
Have you looked at the TRUNCATE parameter for props.conf?
By default Splunk will cut lines that are longer than 10000 chars. Changing this to 50000 might improve your situation.
Other things to check - if you are not seeing the data at all - are the simple things;
Look for interesting error messages in splunkd.log
Are timestamps parsed correctly? Try to search for 'All Time'
Are you looking in the right index?
Do you have permissions to read that index? Check in the Manager -> Account controls -> roles -> your role
Hope this helps,
Kristian
Have you looked at the TRUNCATE parameter for props.conf?
By default Splunk will cut lines that are longer than 10000 chars. Changing this to 50000 might improve your situation.
Other things to check - if you are not seeing the data at all - are the simple things;
Look for interesting error messages in splunkd.log
Are timestamps parsed correctly? Try to search for 'All Time'
Are you looking in the right index?
Do you have permissions to read that index? Check in the Manager -> Account controls -> roles -> your role
Hope this helps,
Kristian
I can't see this error anymore
Hi Drainy, can you please tell me how to remove TAB and space char before indexing?
You can remove them before indexing, but its unlikely that Splunk is struggling with them. It could be the Web UI struggling to render them perhaps but I am dubious that it isn't dealing with the tab or spaces as at a very basic level they are just another character.
Thanks for your quick response.
in splunk is there any option to remove tab char or spaces between > < char before forwarding?
Sorry, I've been out and abooot. Well Splunk shouldn't have any issue with that really, if anything it could be a line-breaking issue with how Splunk is splitting the data. Perhaps you could paste it to pastebin.com, then we can grab a decent copy to test on our own systems
Hi Drainy any update regarding my query?
I0705 13:59:35.496698 19354 test.cpp:500] test::call: setParam(i=0, 'TEST.XML,,,,,,<<?xml version="1.0" encoding="UTF-8"?>
Thanks Drainy
Could you paste the data in pastebin? This will keep its original formatting and we can test it on our systems. I doubt its lost any of the data, its probably just parsing it or rendering it oddly 🙂
After removing tab spaces I am still loosing my data in splunk 😞
I think this is bug in Splunk - this same behavior for similar log with multiple tab or spaces.
can you guys please confirm?
Does anyone get a chance to figure out?
I am not sure whether this editor will truncate some TAB char or not, if you give me your email address I'll send you text format.
Could you post some example data with the secret parts hashed out or obscured?
is this bug in Splunk?
I can see the data after this line in splunk search
How did you verify that Splunk has read the file correctly?
Yes I verified - my log line contains 15 tab char continuously 9-10 times.
due to some privacy reason I can't post entire line here.
Have you verified that it has read the file correctly or checked for any errors in the internal logs?