Getting Data In

Why is my JSON format log getting truncated?

pdantuuri0411
Explorer

I have a log which has a JSON format line in the middle. Splunk is extracting the log but is truncating the JSON part to 26 lines. How do I get the full log without Splunk truncating the JSON lines?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi pdantuuri0411,

without seeing a sample event, my guess is that Splunk sees one of the values in the JSON as an epoch timestamp. Have a read here http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking and configure the line breaking according.

Hope this helps ...

cheers, MuS

0 Karma

KailA
Contributor

Splunk truncateS an event after 10 000 characters, if you want to add more characters to a single event, you should modify your sourcetype in props.conf and add TRUNCATE = <integer>
That should be enough.

KailA

yarick
Path Finder

MAX_EVENTS = <integer> Specifies the maximum number of input lines that Splunk software adds to any event. The software breaks the event after it reads the specified number of lines. 256 lines

REF. https://docs.splunk.com/Documentation/Splunk/7.1.2/Data/Configureeventlinebreaking

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

Hi @pdanturri0411,

Thanks for posting. Could you give us some more context for your query? You have a much better chance of getting your question answered if you provide more information about your issue. Plus, it will help guide future community users who are facing a similar problem.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...