-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Splunk logging driver truncates messages at 4K size when splunk-format is set to raw #37096
Comments
Only think I see using 4k is the stream channel; moby/daemon/logger/splunk/splunk.go Lines 57 to 58 in f653485
These values can be overridden with environment variables though; moby/daemon/logger/splunk/splunk.go Lines 254 to 256 in f653485
moby/daemon/logger/splunk/splunk.go Lines 65 to 67 in f653485
|
@thaJeztah I think the environment variables here are to limit how often to send batch of events, and how many messages to store in cache..etc as documented here https://docs.docker.com/config/containers/logging/splunk/#advanced-options, the problem I see is for raw format messages, number of characters allowed per message is 4096, any thing bigger than is chopped. But for inline format message, messages are bigger than 10K bytes, but I heard the limit is 16K. This issue is to identify if there is any difference in the way raw messages are processed compared to inline. |
cc @luckyj5 There shouldn't be any difference between the how raw and inline messages are processed. I'll verify it. At the same time, you could try to increase the channel size through env variable SPLUNK_LOGGING_DRIVER_CHANNEL_SIZE and see if it helps. |
I see these lines, in the code, not sure if "prefix.Bytes()" has anything to do with limiting message to 4K chars.
But not seeing prefix.Bytes for inline or json format.
|
@kyaparla I actually cannot reproduce this issue. The messages I receive are truncated at 16kb which is docker daemon's limit. I'm using Docker version 18.03.1-ce, build 9ee9f40 Command I run is
|
@kyaparla I am seeing similar behavior where the logs from the log field getting truncated at 16kb. I can reproduce this consistently. Is there a workaround for setting the log size to 64k? The log is being truncated into four separate log. Running docker-ce 18.6.1 and I'm not using splunk. |
Splunk logging driver truncates messages at 4K size, when splunk-format is setup to RAW. However, with splunk-format as inline, we are able to send messages >10K.
@sharonx, @chenziliang
The text was updated successfully, but these errors were encountered: