I am getting over 1,000 of theses warnings in the splunkd.log every minute on one of our indexers.
We are on version 4.3.1 build 119532
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 23824
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 33824
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded: 31056
...etc
I know I can edit props.conf to change the truncate setting (http://splunk-base.splunk.com/answers/41648/linebreakingprocessor-truncating-line-because-limit-of-10000-has-been-exceeded) but I want to find what events are causing these warning so I can make sure the sender is not incorrectly configured or sending junk data.
How can I identify these extremely long events?
... View more