I am working with log lines of pure JSON (so no need to rex the lines - Splunk is correctly parsing and extracting all the JSON fields). However, some of these lines are extremely long (greater than 5000 characters).
In order for Splunk to parse these long lines I have set TRUNCATE=0 in props.conf and this is working.
However, when I search, Splunk is not parsing the JSON fields at the end of the longer lines, meaning that if I search on these particular fields, the long lines don't appear in the search results.
Fields at the start of long lines do get parsed correctly.
Lines less than 5000 characters with the same fields do get parsed and searched correctly, so it's not a problem with the JSON field itself.
Is there some config setting or some command in my search that I can add to parse these lines, regardless of length?
Thanks in advance.
... View more