I'm using the Azure Add-on for splunk to pull in our azure AD signin, audit and user data; all is work well for the most part with the exception of some user events (sourcetype="azure:aad:user") seem to have truncated json and therefore don't parse correctly.
Is there a limit setting for this that can remediate this?
You should be able to change the truncation in the app's local/props.conf file.
[azure:aad:user]
TRUNCATE = some big enough number
You should be able to change the truncation in the app's local/props.conf file.
[azure:aad:user]
TRUNCATE = some big enough number
Thanks! I added a /local/props.conf with
[azure:aad:user]
TRUNCATE = 20000
and that worked.
I found by default that it was truncating at 10000. So i guessed and used 20000; that seemed to work.
I then searched the most recent data pull for raw events that didn't match (looking for events without the closing "}" at the end of the JSON event).
index=azuread sourcetype="azure:aad:user"
| regex _raw!="\}$"
When nothing matched I knew I was big enough. So I verified with
index=azuread sourcetype="azure:aad:user"
| eval CharCount=len(_raw)
| stats max(CharCount) as maxCharCount
and found my largest event (user profile) was just under 16000 characters, so 20k gives me some margin of error.
Thanks for your help!
I'll give that a shot and see what happens! Thanks!