stackoom
  简体   繁体   中英

logs to splunk are getting truncated

 原文  2020-09-15 21:13:30       splunk/ fluentd

Question

I am using fluentd to forward my Kubernetes pod logs to splunk but in splunk I am not able to see full length of pod log as they getting truncated. For example we have a single line log length of 74286 chars, but splunk shows only 16385 chars. what can I do to overcome this issue ?

This way I have configured in fluentd configmap.

<match **>
      @id splunk
      @type splunk-hec
      @log_level info
      server "#{ENV['FLUENT_SPLUNK_HOST']}"
      protocol https
      verify false
      host "#{ENV['CLUSTER_NAME']}_#{ENV['NODE_NAME']}"
      token "#{ENV['FLUENT_SPLUNK_TOKEN']}"
      index "#{ENV['SPLUNK_INDEX']}"
      buffer_type memory
      buffer_queue_limit 256
      buffer_chunk_limit 8m
      batch_size_limit 8000000
      flush_interval 1s
    </match>

1 answers

solution1
 1  2020-09-15 23:03:27

By default, Splunk is supposed to truncate at 10,000 characters. You can change that in your props.conf file.

[mysourcetype]
TRUNCATE = 75000

This would be in addition to the rest of the "magic" 6 settings: TIME_PREFIX , TIME_FORMAT , MAX_TIMESTAMP_LOOKAHEAD , SHOULD_LINEMERGE , and LINE_BREAKER .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ECS Splunk logs truncated with splunk-format raw Table from logs in Splunk Filter access logs on Splunk Splunk logs in dashboard Strategy to store logs - Splunk AWS Batch Logs to splunk Splunk combining multiple logs Correlating logs with a pattern in Splunk Exporting logs from GCP to Splunk Pushing logs from python to Splunk
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM