- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- File Eating
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am eating NESSUS.V1 files from our Nessus contiues monitoring system
Nessus puts the output from the scan in XML format in the v1 files and the indivitule system info is put in a one event format when it is read into Splunk indexer.
The problem is some of the events are more than 257 lines and Splunk is truncating the events at 257.
Then I lose some of the event integrity and I have to go look at the very next event to get the rest of the data.
How can I increase the number of lines for this source or source type?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change MAX_EVENTS for your sourcetype in props.conf.
MAX_EVENTS = <integer>
* Specifies the maximum number of input lines to add to any event.
* Splunk breaks after the specified number of lines are read.
* Defaults to 256 (lines).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change MAX_EVENTS for your sourcetype in props.conf.
MAX_EVENTS = <integer>
* Specifies the maximum number of input lines to add to any event.
* Splunk breaks after the specified number of lines are read.
* Defaults to 256 (lines).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well in this case it was either on a UF or an indexer, so...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, line breaking hapens whereever the parsing occurs. With a Universal Forwarder, it is indeed on the indexer, but details are: http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Line breaking is done on the indexer, so that's where the props.conf changes should go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn,
Do you think I should modify the props.conf in the universal forwarder app "/etc/deployment-apps/appName/Local" or the indexer "etc/system/local" ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks Ayn,
I found this post after I asked the question
http://splunk-base.splunk.com/answers/6764/events-chunked-into-256-lines
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, I would be very interested to hear what you're doing and what you want to do with Nessus reports in Splunk. I'm in the process of creating an app for Nessus and some other vulnerability scanners so I'm very thankful for all input!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
