I'm using a single-instance Splunk Enterprise 6.4.3 deployment on a Windows Server 2012 R2 machine with 16 cores and 12GB RAM.
I want to read from a Microsoft SQL Server database of error logs, which has a "Description" column [of type nvarchar(MAX)] that contains the description and stack trace of errors from our servers. I use Splunk DB Connect 2 to fetch data into a Splunk index.
There seems to be a problem in indexing the contents of this column.
For example, Description of many events starts with:
Object reference not set to an instance of an object.
However, some of these events are indexed with a Description of "Object (Just this one word, and mind the quotation marks!) while the others are indexed with Object reference not set to an instance of an object. (and without any quotation marks). At the meantime, when you view the actual events of both these types in the search app, they have the full contents of Description column from the source database, but differ in the contents of the Description field of the Splunk index (as explained above - for example, the first group of events have this: Description="\"Object")
This issue applies to all events, regardless of their starting line. For example, for events that their Description starts with Operation could not be completed due to state transfer..., some of them get indexed with "Operation in the Description field of the Splunk index, and the others get indexed with Operation could not be completed due to state transfer....
... View more