Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TCP/UDP truncates files at 10K

tmontney
Builder
‎11-04-2016 10:17 PM

Like many questions I've seen here, anything sent via TCP/UDP is being cut off after 10K.

I have a simple app deployed to clients. My inputs.conf has a stanza for a script, and it's to run a program that will (at the end) send JSON data back via TCP. I figured this was better than monitoring an output file. This file is between 40 to 50K. Per suggestions, I created a props.conf in my ./myapp/local.

[tcp://515]
truncate = 100000

Or perhaps I've understood how to implement props.conf correctly. I restarted the Splunk service after making this change, sent the data again, and it's cut off at 10K.

Tags (1)
0 Karma
Reply

koshyk
Super Champion
‎11-05-2016 02:04 AM

how much increased to? Please note 10K is "bytes" and not characters.
Try putting it as "0" and try

Also I believe if it is json, don't use just bytes, but use something like..

[tcp://515]
 KV_MODE = json
 LINE_BREAKER = "(^){"
 NO_BINARY_CHECK = 1
 TRUNCATE = 0
 SHOULD_LINEMERGE = false
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...