- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can we avoid the line truncating warning?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On the forwarder's splunkd.log, we keep getting the following warning -
09-29-2017 02:11:46.400 -0500 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 11636 - data_source="tcp:9080" ...
How can we fix it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from the similar posts -
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this (add it specifically for the tcp:9080):
[ tcp:9080]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 0
the setting you are looking for, see props.conf.spec:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
#******************************************************************************
# Line breaking
#******************************************************************************
# Use the following attributes to define the length of a line.
TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from the similar posts -
You should be able to add an entry to $SPLUNK_HOME/etc/system/local/props.conf similiar to this (add it specifically for the tcp:9080):
[ tcp:9080]
TRUNCATE = 0
which would disable truncation for that log file. This overrides the default TRUNCATE value for this source.
restart splunk
$SPLUNK_HOME/bin
./splunk restart
Before:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 10000
After:
$SPLUNK_HOME/bin/splunk cmd btool props list 'tcp:9080' | grep TRUNCATE
TRUNCATE = 0
the setting you are looking for, see props.conf.spec:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
#******************************************************************************
# Line breaking
#******************************************************************************
# Use the following attributes to define the length of a line.
TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Gorgeous !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do you do this on the indexer or search head? is the data truncated or is the display of the data truncated?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
