Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

File Eating

hartfoml
Motivator
‎12-07-2011 09:41 AM

I am eating NESSUS.V1 files from our Nessus contiues monitoring system

Nessus puts the output from the scan in XML format in the v1 files and the indivitule system info is put in a one event format when it is read into Splunk indexer.

The problem is some of the events are more than 257 lines and Splunk is truncating the events at 257.

Then I lose some of the event integrity and I have to go look at the very next event to get the rest of the data.

How can I increase the number of lines for this source or source type?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎12-07-2011 09:46 AM

Change MAX_EVENTS for your sourcetype in props.conf.

MAX_EVENTS = <integer>
* Specifies the maximum number of input lines to add to any event.
* Splunk breaks after the specified number of lines are read.
* Defaults to 256 (lines).

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎12-07-2011 09:46 AM

Change MAX_EVENTS for your sourcetype in props.conf.

MAX_EVENTS = <integer>
* Specifies the maximum number of input lines to add to any event.
* Splunk breaks after the specified number of lines are read.
* Defaults to 256 (lines).
0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-07-2011 12:35 PM

Well in this case it was either on a UF or an indexer, so...

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎12-07-2011 10:48 AM

Well, line breaking hapens whereever the parsing occurs. With a Universal Forwarder, it is indeed on the indexer, but details are: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-07-2011 10:18 AM

Line breaking is done on the indexer, so that's where the props.conf changes should go.

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎12-07-2011 10:11 AM

Ayn,

Do you think I should modify the props.conf in the universal forwarder app "/etc/deployment-apps/appName/Local" or the indexer "etc/system/local" ?

0 Karma
Reply
Solved! Jump to solution

hartfoml
Motivator
‎12-07-2011 09:49 AM

thanks Ayn,

I found this post after I asked the question

http://splunk-base.splunk.com/answers/6764/events-chunked-into-256-lines

Thanks again

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-07-2011 09:47 AM

Also, I would be very interested to hear what you're doing and what you want to do with Nessus reports in Splunk. I'm in the process of creating an app for Nessus and some other vulnerability scanners so I'm very thankful for all input!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...