By default, how many lines does Splunk allow per event?

The default setting for the maximum number of lines allowed per event in Splunk is 256. This means that when Splunk ingests data, it will consider a single event to be up to 256 lines long. If incoming data exceeds this limit, it may be truncated, which can affect the completeness of the events stored in Splunk.

Understanding this default behavior is important for administrators who need to manage the ingestion of multiline log files or structured data formats that exceed this threshold, as they may need to adjust settings or preprocess the data accordingly to ensure integrity and usability in their Splunk searches.