We're pushing a few different JSON files to our Splunk server via a Splunk Forwarder running on a different machine. With the smaller JSON file (https://gist.github.com/tleyden/d6d29fd5442c512405b6) (11k), it seems to be understood as JSON by the server UI, and it allows tree-style navigation:
![alt text][2]
OTOH, with a bigger JSON file (https://gist.github.com/7f562131e54239250318) (65k), it does not have the same tree-style navigation, and it appears to be being truncated (and I guess the two are probably related)
![alt text][3]
How can I fix this? Where is the truncation happening? On the machine running the forwarder, or the server where it's being forwarded to? (I'm guessing the former, and so the configuration fix would have to be done on the forwarder)
The way the JSON is being forwarded is by this forwarding rule:
sudo /opt/splunkforwarder/bin/splunk add monitor /tmp/jsontest -index main -sourcetype sync_gateway_expvars
and there has been no additional configuration for our custom sourcetype (and in fact, I later realized that this sourcetype is probably being misused, and the source should be sync_gateway_expvars)
I'm a splunk n00b, so please don't assume very much knowledge. Thanks in advance for any help!
[1]: https://gist.github.com/tleyden/d6d29fd5442c512405b6
[2]: /storage/temp/66343-splunk-json1.png
[3]: /storage/temp/66344-splunk-json2.png
↧
How to get large a JSON file recognized as JSON in Splunk Web and prevent it from being truncated?
↧