Prisma Cloud: Splunk Integration receiving Broken logs / Incomplete logs
3821
Created On 09/20/23 15:59 PM - Last Modified 08/28/24 14:21 PM
Symptom
- When an Alert is raised and Prisma Sends the Alert Payload to your Splunk Integration and you see that it has Incomplete or Broken logs
Environment
- Prisma Cloud
- Splunk Integration
Cause
- Once an Alert is raised and upon viewing the Alert Payload on your Splunk Integration as it seems incomplete or broken.
Resolution
- Please take note that by default that Splunk limits messages to 10,000 bytes (characters). You can increase this limit in the Splunk properties files depending on the size of your JSON records.
- Please use this link that better explains this situation and how to increase the limit.
- Once the limit has been increased as you should be able to see the complete Logs for future Alerts.
Additional Information
- To test and have the same Alert ID sent to your Splunk again as you may need to re-trigger the Alert.
- Please note that once Prisma receives the notification message from alert service that it will send the same data to Splunk by using notification template schema . As there will beno enrichment of data in notification service and size will not be more then 800kb.