Long Lines and Large Events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Lines over 10,000 bytes
Events over 100,000 bytes
Events over 1,000 segments

Long Lines and Large Events

Lines over 10,000 bytes

Splunk will break lines over 10,000 bytes into multiple lines of 10,000 bytes each when indexing them. It will append the meta data field meta::truncated to the end of each truncated section. However, it will still group these lines into a single event.

Events over 100,000 bytes

Segments after the first 100,000 bytes of a very long line will be searchable, but Splunk will not display them in search results. It will only display the first 100,000 bytes.

Events over 1,000 segments

Splunk will only display the first 1,000 individual segments of an event as segments that are separated by whitespace and highlighted on mouseover. It will display the rest of the event as raw text without interactive formatting.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.1/Admin/LongLinesAndLargeEvents"

« Pre-process files with a specific extension Filter unwanted events before indexing »

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!

Admin Manual

Long Lines and Large Events

Contents

Long Lines and Large Events

Lines over 10,000 bytes

Events over 100,000 bytes

Events over 1,000 segments

Comments