why events breaks after 257line when max_events=10...

marcokrueger · ‎04-25-2013

I have multi-line (Json) events and have configured the import by

NO_BINARY_CHECK=1 
BREAK_ONLY_BEFORE = ^    { 
KV_MODE = json 
MAX_EVENTS = 10000 
MAX_TIMESTAMP_LOOKAHEAD = 14 
NO_BINARY_CHECK = 1 
SHOULD_LINEMERGE = true 
TIME_PREFIX = "startTime": 
TRUNCATE = 0 
pulldown_type=1

but splunk still breaks the event after 257 lines.

best regards
Marco

kristian_kolb · ‎04-25-2013

Hi,

Are you applying the settings in the right place? Could be an issue of the config file precedence and/or where in the deployment (forwarder/indexer phases) the configurations is made.

Plaese see;

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings

Hope this helps,

Kristian

Ayn · ‎04-26-2013

And you do this on the indexer? Or the forwarder?

marcokrueger · ‎04-26-2013

Hi Kristian,
I do it in the $SPLUNK_HOME/etc/system/local/props.conf and it seems that this have the highest priority so I wonder why the MAX_EVENTS = 10000 takes no effect.
Is there any condition for MAX_EVENT lets work?

best regards
Marco

why events breaks after 257line when max_events=10000 ist set?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms