I've got a pretty strange issue, and I'm sure there is a simple answer for it. Here is my env:
7.1.2
All default configs, but the inputs.conf which contains
[monitor:///Users/MYUSER/splunk_messages]
index = test
sourcetype = json
When I update the splunk_messages file with the following JSON, it's cutting it off right before "created":
{
"Data": {
"id": "-LGDT2S8qYVIJvqoLJwC",
"created": "2018-06-30T02:14:18Z",
"expires": "2018-07-01T02:14:18Z",
"status": "WAITING",
"completed": 0,
"reason": "NONE"
}
}
The result is
There are no other events after or before this event. It's not like it's splitting the event.
I then remove "created" key and value and the full JSON event shows:
Does anyone know what could be causing this? I've been looking through the default conf files and can't find anything to cause this. Maybe it's a default behavior of splunk and I'm not seeing it in the docs.
Thanks!
... View more