Splunk Configuration
Splunk's default configuration can cause data loss or indexing issues when using saf convert:hdf2splunk. Please enact the following changes to your Splunk server's configuration files (typically in /opt/splunk/etc/system/local/) before using the command.
limits.conf docs
[kv]
limit = 10000000
maxchars = 1000000props.conf docs
[HDF2Splunk]
SHOULD_LINEMERGE = false
EVENT_BREAKER_ENABLE = true
EVENT_BREAKER = ([\n]+)
TRUNCATE = 0
- Home
- How to create a release
- Splunk Configuration
- Supplement HDF Configuration
- Validation with Thresholds
- SAF CLI Delta Process
- Mapper Creation Guide for HDF Converters
- How to create a SAF CLI
- How to recommend development of a mapper
- Use unreleased version of a package from the Heimdall monorepo in the SAF CLI
- Troubleshooting