Splunk Search

Why is Splunk not displaying the full log entry?

vcorral
New Member

I am only receiving the first two lines of a log entry into Splunk:

Date: 2019/03/12 14:00:10
SOFTWARE Module: D:\SOFTWARE_Enterprise\Service6.exe Machine Name: TESTSERVER001T Database Name: ORA-TEST

When the full entry should be:
Date: 2019/03/12 14:00:10
SOFTWARE Module: D:\SOFTWARE_Enterprise\Service6.exe Machine Name: TESTSERVER001T Database Name: ORA-TEST
Product Version: Release X.XX.XX.XX Jul 20 2018 11:57:17
Source id: Device <7616>
Software Integration Service Unavailable

Other log entries from other indexes are displaying the full log entries until they reach the truncate size, and this one is shorter than those. Any thoughts on where I can look to fix this would be appreciated.

Regards,
Virgil

0 Karma

vcorral
New Member

So I figured this out. my props.conf file did not have anything set for the "BREAK_ONLY_BEFORE = ".
I added "Date:" to the line and now it works.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...