After upgrading from Splunk Enterprise or Splunk Cloud 6.x to 7.x, customers are reporting a bug with HTTP Event Collector (HEC). As a result:
Splunk Enterprise and Splunk Cloud releases 7.x (“7.x”) include a limit on HTTP Event Collector (HEC) payloads of 512KB. This limit exists to prevent memory overuse. Post-7.0.x, HEC events with sizes exceeding 512KB are not resolved by the HEC parser, and may be dropped.
Which customers are impacted:
This issue may impact any customer meeting the following criteria:
The latest maintenance release, 7.0.5, for Splunk Enterprise and Splunk UniversalForwarder are now available from the Download site.
Please note as 7.0.5 is not the latest version, you can find it under the “Older Releases” section.
Known Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Knownissues
Fixed Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues