04-06-2017 12:17:13.106 +0000 WARN AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Typically this will amount to treating this data as single-line only. - data_source="http-stream", data_host="184.108.40.206", data_sourcetype="log:websitewadlog"
component = AggregatorMiningProcessor index = _internal log_level = WARN source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd splunk_server = SplunkIndexer1
04-06-2017 12:17:13.106 +0000 WARN AggregatorMiningProcessor - Breaking event because limit of 256 has been exceeded - data_source="http-stream", data_host="220.127.116.11", data_sourcetype="log:websitewadlog"
I have already updated the source type with truncate = 0 and max_events =1000 still i am facing the issue can any one help.
What else i could do to resolve this issue.
... View more