Knowledge Base

Yes

Environment

EDR Server: 6.x and Above
Event Forwarder: 3.4.5 and Above
Splunk: 6.x and older

Symptoms

Events sized over 10 KB from the Event Forwarder are unexpectedly not present inside of Splunk.

Cause

Splunk 6.x and older has a default event size limit of 10 KB. Events from the Event Forwarder larger than 10 KB are ignored and not loaded into the Splunk system.

Resolution

On the server hosting the Event Forwarder, edit:

/etc/cb/integrations/event-forwarder/cb-event-forwarder.conf

Add:

remove_from_output=highlights_by_doc

Restart the Event Forwarder service.

initctl restart cb-event-forwarder

Additional Notes

Event size limit can be increased in Splunk

Knowledge Base

EDR: Event Forwarder sends events larger than 10 KB

EDR: Event Forwarder sends events larger than 10 KB

Environment

Symptoms

Cause

Resolution

Additional Notes

Related Content

EDR

Knowledge Base

EDR: Event Forwarder sends events larger than 10 KB

EDR: Event Forwarder sends events larger than 10 KB

Environment

Symptoms

Cause

Resolution

Additional Notes

Related Content

EDR

Thank you for your feedback.

Thank you for your feedback.