Solved: Re: Splunk not displaying log data - Page 2

jangid · ‎07-05-2012

My log file contain a long line (35000 chars) with continuous spaces [more then 60 spaces] multiple times inside the log - I can't see this log information in Splunk.

I can't change the log because its coming from 3rd party tool

Any Idea?

kristian_kolb · ‎08-13-2012

Have you looked at the TRUNCATE parameter for props.conf?

By default Splunk will cut lines that are longer than 10000 chars. Changing this to 50000 might improve your situation.

Other things to check - if you are not seeing the data at all - are the simple things;

Look for interesting error messages in splunkd.log
Are timestamps parsed correctly? Try to search for 'All Time'
Are you looking in the right index?
Do you have permissions to read that index? Check in the Manager -> Account controls -> roles -> your role

Hope this helps,

Kristian

View solution in original post

jangid · ‎07-06-2012

I can't see log data at all in Splunk.

I think Splunk ignoring data in a line if detect some continuous spaces - I don't know whether its true or not, its just my guess.

Ayn · ‎07-05-2012

Do you not see the line at all in Splunk, or do you see a truncated version of it?

jangid · ‎07-05-2012

one option is I can split this line in multiple line based on the number of spaces.

Splunk not displaying log data

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk