LINE error in splunkd

a212830 · ‎04-22-2013

Hi,

I'm getting the following errors in my splunkd.log:

04-22-2013 09:40:07.187 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded with a line length >= 40915 - data_sour
ce="F:\IBM\Lotus\Domino\Trace\stpolicy_130419_2323_1.txt", data_host="STENG01VWIN", data_sourcetype="STCommunityTraceLogs_policy"

So, two questions. These are events that can span multiple lines - should SHOULD_LINEMERGE be set to true? And is there a way to limit the number of lines per event? (And what's the max?)

jharty_splunk · ‎04-22-2013

You may want to review the doc out here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents

Yes you can set SHOULD_LINEMERGE = true but you will also have to set an additional parameter to break the event (for example BREAK_ONLY_BEFORE_DATE). A more efficient way of doing is to sety SHOULD_LINEMERGE = false and is set LINE_BREAKER = REGEX

Also, to get around the error you have above increase your MAX_EVENTS setting to 50000 or above:

[yoursourcetypehere]
TRUNCATE = 0
MAX_EVENTS = 50000

kristian_kolb · ‎04-22-2013

Yes and No. In that order.

The linebreaking advice is correct, but TRUNCATE refers to the length of a line (default 10000, '0' means unlimited) and MAX_EVENTS refers to the maximum number of lines in a multiline event (default 256, I think).

See the docs of props.conf, or the link provided above.

LINE error in splunkd

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...