Environment
- EDR Server: 6.x and Above
- Event Forwarder: 3.4.5 and Above
- Splunk: 6.x and older
Symptoms
Events sized over 10 KB from the Event Forwarder are unexpectedly not present inside of Splunk.
Cause
Splunk 6.x and older has a default event size limit of 10 KB. Events from the Event Forwarder larger than 10 KB are ignored and not loaded into the Splunk system.
Resolution
- On the server hosting the Event Forwarder, edit:
/etc/cb/integrations/event-forwarder/cb-event-forwarder.conf
- Add:
remove_from_output=highlights_by_doc
- Restart the Event Forwarder service.
initctl restart cb-event-forwarder
Additional Notes
Event size limit can be increased in Splunk
Related Content