We have XML events that seem to be getting truncated by splunk and we are not sure why? We are feeding the data through a UDP burst and it just cuts off:
Aug 29 16:14:22 10.142.102.50 Aug 29 16:14:22 pl-wlmuatdp4 [dv05_sr][21C_logs][error] mpgw(PayloadLoggingService): trans(79014981)[request]:
,Timestamp=2013-08-29T16:14:22-04:00,Env=DEV_XML,Source=DMZ,Operation=RateConversion2,Request=<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="removed" xmlns:xsd="removed" xmlns:xsi="removed" xmlns:dplog="removed" xmlns:SOAP-ENV="removed">
<env:Header/>
<env:Body>
<calculateFinalPremiumComposite xmlns="removed">
<requestHeader>
<userId>138</userId>
<systemDateTime>2013-08-02T07:19:57.305Z</systemDateTime>
<systemName>QFRS</systemName>
<messageReference>6faf94973c185e0a</messageReference>
<functionName>03</functionName>
<transac
does anyone know of any limits on the number of characters per event? Can anyone think of another reason this data would be truncated? Note I had to sensor data aboe to remove web addresses.
Found this on another post -
syslog imposes a 2k (2048 byte) limit on the size of its log events. Believe this is the reason for the truncated events.
Found this on another post -
syslog imposes a 2k (2048 byte) limit on the size of its log events. Believe this is the reason for the truncated events.
The problem we have is that we do not have access to teh server sending the xml. No third party software can be installed. This is why we were using the UDP port for the traffic. We decided to use a TCp port in teh higher ranges to send the data to the splunk heavy forwarder.
If you need, you could use a splunk forwarder to directly monitor the flat xml file.
And create a specific sourcetype with a proper TRUNCATE and MAX_EVENTS limits.