Hi,
I'm getting the following errors in my splunkd.log:
04-22-2013 09:40:07.187 -0400 WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded with a line length >= 40915 - data_sour
ce="F:\IBM\Lotus\Domino\Trace\stpolicy_130419_2323_1.txt", data_host="STENG01VWIN", data_sourcetype="STCommunityTraceLogs_policy"
So, two questions. These are events that can span multiple lines - should SHOULD_LINEMERGE be set to true? And is there a way to limit the number of lines per event? (And what's the max?)
You may want to review the doc out here:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Indexmulti-lineevents
Yes you can set SHOULD_LINEMERGE = true but you will also have to set an additional parameter to break the event (for example BREAK_ONLY_BEFORE_DATE). A more efficient way of doing is to sety SHOULD_LINEMERGE = false and is set LINE_BREAKER = REGEX
Also, to get around the error you have above increase your MAX_EVENTS setting to 50000 or above:
[yoursourcetypehere]
TRUNCATE = 0
MAX_EVENTS = 50000
Yes and No. In that order.
The linebreaking advice is correct, but TRUNCATE refers to the length of a line (default 10000, '0' means unlimited) and MAX_EVENTS refers to the maximum number of lines in a multiline event (default 256, I think).
See the docs of props.conf, or the link provided above.