product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
Maximum size of one event and how to change it
- release date
- 2015-08-03
- last updated
- 2024-01-18
- version
- Splunk Enterprise 9.1.0
- Overview
- About the default value of the maximum size of one event (maximum size of one line, maximum number of lines) and how to change it
- Reference information
- content
-
The default values and how to change the maximum size of one event (maximum size of one line, maximum number of lines) are described below.
About the maximum size of one line
The maximum size of one line is 10000 bytes by default.
Data exceeding 10000 bytes per line will be truncated after 10001 bytes.
To change it, change the TRUNCATE value in the props.conf file.
Setting Example
<Target files>
Heavy forwarder, indexer (if not using heavy forwarder)
$SPLUNK_HOME/etc/apps/<App名>/local/props.confor
$SPLUNK_HOME/etc/system/local/props.conf<Setting details>
[test]
TRUNCATE=50000*Specify the maximum size of one line in bytes.
*Setting TRUNCATE=0 will prevent truncation.
Please note the following and specify the required size according to your environment.
Note
When importing data with a large number of characters per line, this may affect performance.*$SPLUNK_HOME is the installation directory. By default it is as follows.
<Linux>
Splunk Enterprise : /opt/splunk
Universal Forwarder : /opt/splunkforwarder<Windows>
Splunk Enterprise : C:\Program Files\Splunk
Universal Forwarder : C:\Program Files\SplunkUniversalForwarderAfter making any configuration changes, restart the Splunk service.
$SPLUNK_HOME/bin/splunk restartAbout the maximum number of lines for one event
The default maximum number of lines per event is 257.
From then on, events will be split and imported.To change it, change the MAX_EVENTS value in the props.conf file.
<Setting example>
To capture an event with source type "test" and change its maximum row count:
<Target files>
Heavy forwarder, indexer (if not using heavy forwarder)
$SPLUNK_HOME/etc/apps/<App名>/local/props.confor
$SPLUNK_HOME/etc/system/local/props.conf<Setting details>
[test]
MAX_EVENTS=256*Specify the number of lines. There is no upper limit.
*After changing the settings, please restart the Splunk service.
$SPLUNK_HOME/bin/splunk restartNotes
Both TRUNCATE and MAX_EVENTS are limitations to avoid impacting indexing and search performance.
When changing it, specify the size you need, not a value that is effectively unlimited.
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30
