Splunk search for Sourcetypes that are Being Truncated

Copy
index=_internal sourcetype=splunkd "truncating line" | rex field=_raw "line length\s+>=\s+(?<length>\d+)" | search length=* | stats max(length) as length, count by data_sourcetype
This search will return sourcetypes that are being truncated at index time, as well as the maximum length of the truncated event within the time range searched. This search can be useful for identifying either sourcetypes that need to have their truncate setting updated in props.conf or that may have event breaking issues.
0 comments
Sign in or Register to submit a comment