Truncated Data Issues

Displays sourcetypes being truncated on ingest, then on selection, shows the related _internal message & the an event that caused it to trigger.

<form>
  <label>Data Issues</label>
  <description>Truncation, Date Parsing and Timestamp issues</description>
  <fieldset submitButton="false">
    <input type="time" token="field1">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Choose a problematic sourcetype</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=LineBreakingProcessor  
| extract 
| rex "because\slimit\sof\s(?&lt;limit&gt;\S+).*&gt;=\s(?&lt;actual&gt;\S+)" 
| stats count avg(actual) max(actual)  dc(data_source) dc(data_host) BY data_sourcetype, limit 
| eval avg(actual)=round('avg(actual)') 
| sort - count</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="form.data_sourcetype">$row.data_sourcetype$</set>
          <set token="form.limit">$row.limit$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$form.data_sourcetype$">
      <title>Event in _internal</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd component=LineBreakingProcessor data_sourcetype="$form.data_sourcetype$" | extract | rex "because\slimit\sof\s(?&lt;limit&gt;\S+).*&gt;=\s(?&lt;actual&gt;\S+)" | fields _raw _time data_sourcetype limit</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="count">10</option>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
    <panel depends="$form.data_sourcetype$">
      <title>Event that reaches the limit</title>
      <event>
        <search>
          <query>index=* OR index=_* sourcetype=$form.data_sourcetype$ | eval length=len(_raw) |search  length=$form.limit$</query>
          <earliest>$field1.earliest$</earliest>
          <latest>$field1.latest$</latest>
        </search>
        <option name="list.drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </event>
    </panel>
  </row>
</form>

Splunk Query Repository

Truncated Data Issues

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Truncated Data Issues

Related Queries

ESCU Update Tracking

Dashboard: Splunk Insights – Users & Roles

exploremydata – data explorer

Leave A Comment? Click here to cancel reply.