Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

splunkhecexporter field extraction truncates at 1000 characters #31817

Closed
bdschaap opened this issue Mar 18, 2024 · 6 comments
Closed

splunkhecexporter field extraction truncates at 1000 characters #31817

bdschaap opened this issue Mar 18, 2024 · 6 comments
Labels
bug Something isn't working exporter/splunkhec needs triage New item requiring triage

Comments

@bdschaap
Copy link

Component(s)

No response

What happened?

Description

Field extraction truncates at 1000 characters

Steps to Reproduce

Transmit a field with a value that is more than 1000 characters. I used a stack trace with a value that's well over 1000 characters

Expected Result

Field isn't truncated

Actual Result

Field is truncated at 1000 characters

Note that routing the log to the debug exporter will field the entire value of the field

Collector version

0.92

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

receivers:
  otlp:
    ...
exporters:
  splunk_hec:
    ...
  debug:
    verbosity: detailed
service:
  pipelines:
    logs:
	  receivers: [otlp]
	  exporters: [splunk_hec, debug]

Log output

No response

Additional context

I'm not certain where in the process field extraction and the truncation occurs. I'm receiving Otel logs and exporting them via the Splunk HEC exporter. Those logs are then sent to a Splunk Heavy Forwarder which then forwards it on to Splunk Cloud.

@bdschaap bdschaap added bug Something isn't working needs triage New item requiring triage labels Mar 18, 2024
Copy link
Contributor

Pinging code owners for exporter/splunkhec: @atoulme @dmitryax. See Adding Labels via Comments if you do not have permissions to add labels yourself.

Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label May 20, 2024
@bdschaap
Copy link
Author

This issue still exists. Have also been working w/ Splunk Support on troubleshooting.

@atoulme
Copy link
Contributor

atoulme commented May 30, 2024

Can you see this issue if you build and send via curl a HEC event manually?

@atoulme
Copy link
Contributor

atoulme commented Jul 17, 2024

Sorry, I still don't understand your issue here.

Can you provide a sample of input we can use to reproduce? What is a field here, is it a log attribute? A log body?

Can you try to send HEC to a HEC receiver on the same collector and out to debug? This will help us understand what we truncate.

@atoulme
Copy link
Contributor

atoulme commented Jul 17, 2024

I suspect you have a regex that is misfiring past 1000 characters. See DEPTH_LIMIT here: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Configureadvancedextractionswithfieldtransforms

Please continue to work directly with Splunk support and let them know that I am available for troubleshooting. I am going to close this issue at this time.

@atoulme atoulme closed this as completed Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working exporter/splunkhec needs triage New item requiring triage
Projects
None yet
Development

No branches or pull requests

3 participants