Documentation > Splunk > Admin Manual > Large events

Admin Manual

 


How Splunk Works
Getting Started
Configuring a Splunk Deployment
Data Inputs
Hosts
Source Types
Timestamp Recognition
Events
Event Types
Meta Events
Fields
Segmentation
Saved Searches and Alerts
Authentication
Data Distribution
Granular Access Control
Distributed Search
Deployment Server
Index Management
Bundles
SplunkBase
Performance Tuning
Routine Maintenance
How-To
Troubleshooting
Reference

Large events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Large events

Lines over 10,000 bytes

Splunk will break lines over 10,000 bytes into multiple lines of 10,000 bytes each when indexing them. It will append the meta data field meta::truncated to the end of each truncated section. However, it will still group these lines into a single event.


Events over 100,000 bytes

Segments after the first 100,000 bytes of a very long line will be searchable, but Splunk will not display them in search results. It will only display the first 100,000 bytes.


Events over 1,000 segments

Splunk will only display the first 1,000 individual segments of an event as segments that are separated by whitespace and highlighted on mouseover. It will display the rest of the event as raw text without interactive formatting.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.0/Admin/LargeEvents"

This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!