Solved: Re: Changing max length of field

sc0tt · ‎05-20-2014

I have a field that is more than 10,000 characters. I updated props.conf to include

[source::log.txt]
TRUNCATE=20000

Splunk now indexes the entire event, but the content of the long field is being ignored when doing a search. For example search | eval l = len(long_field) returns a length of 1. Where can I change the max length of a field?

Thanks

Ayn · ‎05-20-2014

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

View solution in original post

sc0tt · ‎05-20-2014

Shorter fields work as expected. For example, if I count the field length for all events the max length is 9996; all the fields with a known length greater than 10,000 show as a length of 1. So it is clearly being limited to 10,000 somewhere.

Ayn · ‎05-20-2014

You might be hitting this limit (from limits.conf):

maxchars = <integer>
* Truncate _raw to this size and then do auto KV.
* Defaults to 10240 characters.

jiaminyun · ‎02-19-2021

How many bytes does a character take

sc0tt · ‎05-20-2014

Thanks! That did it. I created a limits.conf file with maxchars = 20000 and it seems to be working as expected. Any known issues with increasing this value even higher? I'm seeing that some events have length > 19000.

pbankar · ‎12-11-2019

Hey @Ayn, is there any limit for the same?

Ayn · ‎05-20-2014

Do shorter fields with the same format work like it should? Or might this be an issue with the extraction itself?

sc0tt · ‎05-20-2014

It's a space delimited field (field=" value1 value2 value3 value4 value5 value6..etc), so just using default Splunk extraction; nothing special is being applied to the file.

Ayn · ‎05-20-2014

How is long_field extracted?

Changing max length of field

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability