Re: max value for truncate, max_events

SplunkCSIT · ‎04-17-2014

What is the max value for truncate, max_events as my xml files size is 10Mbytes? thks.

kristian_kolb · ‎04-18-2014

Are you really sure that you want a 10MB file in a single event? Actually, I'm not sure that it will really work, i.e. if there are other limitations that are non-configurable. But it's always worth a try.

See the docs:

http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/Propsconf

MAX_EVENTS = <integer>
 * Specifies the maximum number of input lines to add to any event.
 * Splunk breaks after the specified number of lines are read.
 * Defaults to 256 (lines).

TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
  garbage data).

/K

martin_mueller · ‎04-18-2014

Multiple MB in a single event do work from an indexing and searching point of view, whether it makes sense to do that depends on your use case.

SplunkCSIT · ‎04-18-2014

I had saw that and confirm that more 20K files in a single event will not work. So i need to remove certain tags in a xml also dont work becuase that particular tag are more than 20K bytes large. So how to split one event into multiple event and also to ensure all the files are forwarded to indexer?

max value for truncate, max_events

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases