I notice that CSV ingestion (from Splunk Web file upload) sometimes cuts off an event, possibly because one field is extra lengthy. In one example, I see that Splunk only gets roughly 8,160 characte...
See more...
I notice that CSV ingestion (from Splunk Web file upload) sometimes cuts off an event, possibly because one field is extra lengthy. In one example, I see that Splunk only gets roughly 8,160 characters of a column that has 8,615 characters. That field and any column after the column, are not extracted. (Those ~8100 characters remain in Splunk's raw event.) When I took the same CSV file to a similarly configured instance, however, ingestion was successful for this event. No missing fields. Particularly surprising is that I have increased [kv]maxchars in the instance that had this trouble. So, I suspect that if I ingest it again in the same instance, it may succeed as well. In other words, this seems rather random. (Even without increasing maxchars, the length in this column is still smaller than default (10,240).) Instance 1 (dropped part of event) Instance 2 (event ingestion complete) limits.conf [kv] From local/limits.conf indexed_kv_limit = 1000
maxchars = 40960 From default/limits.conf indexed_kv_limit = 200
maxchars = 10240 RAM 16 GB 8 GB What else should I check? Both instances run Splunk Enterprise 9.1.1.