Getting a ton of this, and it's making Kafka Connect really grumpy. Any way to increase MaxValueSize?
06-19-2019 17:16:54.627 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:14.622 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:34.629 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:17:54.624 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:14.628 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:34.624 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:18:54.623 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:19:14.626 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
06-19-2019 17:19:34.619 -0400 ERROR HttpInputDataHandler - Parsing error : While expecting event's raw text: String value too long. valueSize=5247864, maxValueSize=5242880, totalRequestSize=6963917
One of the engineers at Splunk was able to help me out. This resolved the issue for me.
[http]
disabled = 0
maxEventSize = 15728640
Here is the email I got that explains it:
Hello Mike,
To address the issue referenced below, a new global setting called maxEventSize under [http] stanza in inputs.conf has been introduced to allow customers to configure the expected maximum size of HEC event as part of these releases 7.0.5, 7.0.3.7, 7.1.3, and later.
A workaround for this issue is to have 6.x based HWFs parse the HEC events before forwarding to indexers.
Please let me know if you have any additional question.