Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where can I change the maximum of the event length to prevent that events are truncated at index-time

rrovers
Contributor
‎06-04-2024 11:25 PM

Events longer than 15.000 characters are truncated now. 

  • We wonder if there is a limit for this (so for example in the configuration the maximum event length can't be set to a number higher than 50.000).
  • Where and how can we change this limit for a certain index.
Labels (1)
Labels
0 Karma
Reply

tej57
Contributor
‎06-05-2024 01:45 AM

Hello @rrovers,

You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you need to place the following sourcetype on the indexers. And if your data flow is UF -> IHF -> Indexers, in that case you'll need to place the sourcetype configuration on the IHF. Here, IUF and IHF refer to Intermediate Universal Forwarder and Intermediate Heavy Forwarder respectively.

[<<sourcetype>>]
TRUNCATE = <<max_length_of_event>>

Also, you can set TRUNCATE to any value you wish. 

---
Thanks,
Tejas.

Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...