If your events are larger than the limit set in MAX_EVENTS, you can increase limits. Your events are not properly recognized.The MAX_EVENTS defines the maximum number of lines in an event.
Your events are properly recognized but are too large for the limits in place. Typically this will amount to treating this data as single-line only.įor line and event breaking, determine whether this issue occurs for one of the following reasons: Will set BREAK_ONLY_BEFORE_DATE to False, and unset any MUST_NOT_BREAK_BEFORE or MUST_NOT_BREAK_AFTER rules. Check splunkd.log for messages such as the following:ġ2-07-2016 09:32:32.876 -0500 WARN AggregatorMiningProcessor - Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break. Search for events that are multiple events combined into one. View the Monitoring Console Data Quality dashboard. To confirm that the Splunk platform has event breaking issues, do one or more of the following troubleshooting steps: If events are missing and are very large, especially if your events are single-line events, you might have event breaking issues An error in the Splunk Web Data Input workflow. Aggregation issues present in the Monitoring Console Data Quality dashboard. You might have aggregation issues if you see the following indicators: If you do not specify a capturing group, LINE_BREAKER is ignored.įor more information, see Configure event line breaking.Įvent breaking issues can pertain to the BREAK_ONLY_BEFORE_DATE and MAX_EVENTS settings and any nf configuration file setting with the keyword BREAK. For performance and memory usage reasons, do not set TRUNCATE to unlimited. If your events are larger than the TRUNCATE value, you might want to increase the value of TRUNCATE. The default value for TRUNCATE is 10,000. If LINE_BREAKER is configured correctly but you have very long lines, or if you are using LINE_BREAKER as the only method to define events, bypassing line merging later in the indexing pipeline, confirm that the TRUNCATE setting is large enough to contain the entire data fragment delimited by LINE_BREAKER. Confirm that the string you specify in the LINE_BREAKER setting exists in your data. Confirm that LINE_BREAKER is properly configured to segment your data into lines as you expect. If you find such a message, do the following: Look for messages with "Truncating line because limit of 10000 bytes has been exceeded" in the splunkd.log file or look for the following message in Splunk Web: 
The LINE_BREAKER setting must have a capturing group and the group must match the events.įor example, you might have a value of LINE_BREAKER that is not matched. While you work with the options on the Set Source Type page, the LINE_BREAKER setting might not be properly set. Complete the data input workflow or record the correct settings and use them to correct your existing input configurations.To configure LINE_BREAKER or TRUNCATE, click Advanced. On the Set Source Type page, work with the options on the left panel until your sample data is correctly broken into events.Select a file with a sample of your data.Click Upload to test by uploading a file or Monitor to redo the monitor input.To resolve line breaking issues, complete these steps in Splunk Web: Multiple combined events, or a single event broken into many, indicates a line breaking issue. Look for messages in the splunkd.log file like the following example:ġ2-12-2016 13:45:48.709 -0800 WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 301367.See About the Monitoring Console in Monitoring Splunk Enterprise. Check the dashboard table for line breaking issues. Visit the Monitoring Console Data Quality dashboard.To confirm that the Splunk platform has line breaking issues, do one or more of the following troubleshooting steps: You might see the following error message in the Splunk Web Data Input workflow or in the splunkd.log file: "Truncating line because limit of 10000 bytes has been exceeded".The Monitoring Console Data Quality dashboard displays issues with line breaking.You have fewer events than you expect and the events are very large, especially if your events are single-line events.The following symptoms indicate that there might be issues with line breaking: You can troubleshoot the following event processing and data quality issues when you get data in to the Splunk platform:
0 kommentar(er)
