Re: is there any limit on length of one event in S...

kumar518g · ‎02-05-2013

Hi Team,
i am not able to see the complete event log (one log string )in Splunk Search, some of the text got truncated because of that not able to retrieve the required fields.
This is happening for the log strings whose size is large, please let me know how to avoid this issue?

Thanks in Adavnce
Ravi

pallavikarpaklu · ‎09-19-2020

I am facing same issue. Can anyone please suggest the solution?

inventsekar · ‎09-19-2020

Hi @pallavikarpaklu ... may we know the TRUNCATE vaule in your props.conf file please.

pallavikarpaklu · ‎09-21-2020

In props.config Truncate=1000000

Length of string in my log file is 38309

But, in splunk string truncates at length 9967

Appreciate any help.

inventsekar · ‎09-22-2020

UF ---> indexer or

UF---> HF----> indexer

if HF is yes, then, do you have props.conf at HF or indexer or both?

isoutamo · ‎09-22-2020

There could be several truncate which can affect here. At least host, source and sourcetype are places where this can defined. Have you already check all of those? Also check was it so that Sosa have priority over source and last is sourcetype.
r. Ismo

jtworzydlo · ‎02-05-2013

Take a look at this:
http://splunk-base.splunk.com/answers/4162/size-limit-for-an-event

kumar518g · ‎02-05-2013

Hi,
i updated that value in prop.conf in local is this the correct way to change it rite?
Regards
Ravi

kumar518g · ‎02-05-2013

Hi ,
i have increased the TRUNCATE value to 250000 and restarted the server but still am not able to see the complete event still spunk truncating. Please help me
Regards
ravi

ppuru · ‎06-18-2018

Was this issue resolved?

is there any limit on length of one event in Splunk ?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases