×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
keorus
New Member
Member since: ‎02-15-2024
‎02-16-2024
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-15-2024
Activity Feed
Topics I've Started
View All

Re: messages truncate

by in Splunk Search
‎02-16-2024 12:06 AM
‎02-16-2024 12:06 AM
Thanks for your message @gcusello  I just have a little issue, for now i can't touch the configuration of splunk, I have to handle with this configuration. It is a requirement of my team projects. Would that mean that the only solution was to change the splunk configuration? and that there would not be another solution ... View more

messages truncate

by in Splunk Search
‎02-15-2024 07:29 AM
‎02-15-2024 07:29 AM
Good morning, I come to you because after looking for an answer to my problem, my last solution is to come and seek help on the splunk forum. Here is the context: I have hundreds of messages with identical node parameters, only the parameter values change. example: "jobs": dev "position": 3 "city": NY "name": Leo ....... “jobs”: HR "position": 4 “city”: CA "name": Mike ........ The goal is that these hundreds of messages are sometimes truncated because their responses are too large, I would like to find a solution to display them in full? I had thought about increasing the capacity in splink but this is not possible for my project and the truncated logs are -1% so a big change for few logs, not really good moves. My second solution, I thought of making a regex which finds the truncated message grouped into several pieces, is this possible?   I also try some regex to find my message like this, but it not working index="" | eval key="<value i want>" | table _raw If not, maybe you have another idea ?   Thank you for your help and time. Have a good evening ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-16-2024 03:40 AM