Hi @jpcontrerasaditum - I am also trying to manipulate a weblog with nearly 36k events and exactly same requirements which is :
line break at &&&, then
send 404 status code events to notfoundindex and
reassigning all the events to access_combined sourcetype.
But it doesnt seem to work with the entire log file. So i tries with 10 events only and was able to achieve 1. but not 2. and 3. I get the following error :
truncating at 10000 bytes because size exceeded splunk with a line length >= 15512
I tried truncate = 50000 & truncate = 0 but that makes splunk unresponsive.
So were you able to resolve the issue ? Appreciate if you could help.
... View more