A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?
A.
None. Splunk default configurations will process the events as needed; the UF is not causing truncation.
B.
Configure the best practice magic 6 or great 8 props.conf settings.
C.
EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.
D.
Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.
Magic 6 or the Great 8 is a best practice for sure, but on the Universal Forwarder you can only set EVENT_BREAKER_ENABLE and EVENT_BREAKER.
(Ref: Core Implementation Notes p. 169-171)
for sure B! C is not wrong but it is part of B and B should be done in any case as best practice. ref: https://www.sicherevielfalt.de/blog/the-ultimate-splunk-magic-8-for-a-dramatic-performance-boost/
The question is about a universal forwarder (UF).
You can only set EVENT_BREAKER_ENABLE and EVENT_BREAKER on a UF.
MAGIC 8 wont' work there, so C should be the answer.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bobixaka
1 month agohpbdcb
4 months, 3 weeks agobobixaka
1 month agoSteve2610
1 year, 8 months agohuu_nguyen
1 year, 10 months agoRedtonyeah
2 years, 1 month ago