Getting Data In

Is it possible to change the MaxValueSize for HEC?

New Member

Getting a ton of this, and it's making Kafka Connect really grumpy. Any way to increase MaxValueSize?

06-19-2019 17:16:54.627 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:14.622 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:34.629 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:54.624 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:14.628 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:34.624 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:54.623 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:19:14.626 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:19:34.619 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917

0 Karma

New Member

One of the engineers at Splunk was able to help me out. This resolved the issue for me.

[http]
disabled = 0
maxEventSize = 15728640

Here is the email I got that explains it:

Hello Mike,
To address the issue referenced below, a new global setting called maxEventSize under [http] stanza in inputs.conf has been introduced to allow customers to configure the expected maximum size of HEC event as part of these releases 7.0.5, 7.0.3.7, 7.1.3, and later.

A workaround for this issue is to have 6.x based HWFs parse the HEC events before forwarding to indexers.

Please let me know if you have any additional question.

0 Karma