Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog data from UDP. Maximum message size?

eject
Engager
‎07-15-2011 03:11 AM

What's maximum message size which splunk's syslog will accept via UDP? How I can increase it?

Tags (3)
Reply

BenAveling
Path Finder
‎10-17-2013 05:42 PM

This sounds like a UDP problem, not a splunk problem.

For me, anything up to 65507 bytes is received (and truncated to 10000 bytes). Anything longer just gets lost.

If you have perl, maybe try sending to the following script and seeing what happens:

my $usage = qq{Usage:
  perl udp_server.pl port
};

use strict;

use IO::Socket;

my $port=shift or die "port not specified\n\n$usage";

my $response = IO::Socket::INET->new(Proto=>"udp",LocalPort=>$port)
  or die "Can't make UDP server: $@";

my $message=0;

while(1){
  print "Listening on $port...\n";
  my ($datagram,$flags);
  $response->recv($datagram,100000,$flags) or warn "recv failed: $!\n";
  print "Got message ",++$message," from ", $response->peerhost,", flags ",$flags || "none",": $datagram\n", "length: ",length $datagram,"\n";
}
Reply

hazekamp
Builder
‎07-15-2011 11:54 AM

Splunk uses the TRUNCATE setting in props.conf to determine maximum message size. By default this is set to 10000 bytes.

## props.conf.spec
TRUNCATE = <non-negative integer>
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
  otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
  garbage data).
* Defaults to 10000 bytes.
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-17-2013 07:42 PM

I might suggest trying to run strace on splunk's calls to recv(). You'll want to make sure that the buffer size passed to recv() is big enough to receive the whole datagram in one call.

0 Karma
Reply

eject
Engager
‎07-18-2011 03:54 AM

I've set TRUNCATE = 0 in C:\Program Files\Splunk\etc\system\default\props.conf and restarted Splunk. tried to send 2600 bytes and it don't displayed :(.

With wireshark I see that that messages reached server.

All messages which are smaller than 1900 bytes displays just fine. How can I debug this problem ?

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...