Finally it turned out, that it was not a sed problem. There are sed versions that only support a limited line length. In my case I had to change some other properties: I had to add TRUNCATE = 75000 in props.conf to the source::-stanza, as there is the sedcmd in my configuration. I had to add LOOKAHEAD = 80000 in transforms.conf as there was LOOKAHEAD = 4096 defined in /opt/splunk/etc/system/default/transforms.conf So the main problem was LOOKAHEAD = 4096 which affects sedcmd too. Not really intuitive.
... View more
Hi all We have a similar problem. We read k8s-logs coming from fluentd and HEC into splunk. There is a message-field in the json, which can be a very long string. Using rex, it is possible to extract the field form json, but without this message and all following fields in _raw stay undefined (isnull(...) is true). I tested several settings, including /opt/splunk/etc/system/local/limits.conf with the following content: [realtime] indexed_realtime_use_by_default = true [spath] extract_all = true #number of characters to read from an XML or JSON event when auto extracting extraction_cutoff = 50000 [kv] maxchars = 1500000 limit = 0 indexed_kv_limit = 0 maxcols = 100000 [rex] match_limit = 500000 Any idea how to solve this? Thanks Matthias
... View more
Hi The SEDCMD is done at index time bevore the events are stored. The stored events have the color codes stripped off. Maybe there is also a problem with the order of commands. When I changed the sourcetype and deleted the color codes, I had to put the SEDCMD in props.conf before the REPORT... to change the sourcetype. It would be helpful to have the possibility to remove color codes included directly in splunk.
... View more
Hi
I had some trouble defining an indexname out of the path and filename of the sourcefile.
In MetaData:Source, the sourcename is prefixed with 'source::', so you have to consider this in the regex. Further, in the index name, defined in 'FORMAT = ' , there is no prefix. The configuration in the example above has to be 'FORMAT = $1' and not 'FORMAT = index::$1'.
... View more
Hi niketnilay
Works like a charm. Thank you very much!!
I missed the <set token="form.tokDropdown2">value_to_set</set>
It is hard to find this form.tokenname in the documentation.
Kind regards
Matthias
... View more