I'm posting a json struct such as
{
"index": "test_metrics",
"time": 1679920906.0,
"event": "metric",
"host": "myhostname",
"source": "build.mybuildplan",
"sourcetype": "trace_profile",
"fields": {
"metric_name:metric1": 1234,
"metric_name:metric2": 1234,
"metric_name:metric3": 1234,
...
"metric_name:metricN": 1234
}
}
I noticed that on our splunk enterprise server, I can successfully post it, but the source, host, and sourcetype fields are not visible in Splunk (version 9.0.1).
After some debugging on a local Splunk install I found that when I reduce N enough, these fields suddenly come through. Moreover, when I find the largest N for which these fields are shown properly and then make the name of the last metric longer (e.g. "metric_name:metricN_lorem_ipsum_etc"), it also starts to drop these fields. So it looks like it's related to the length of all metric names in the json combined?
My questions:
- Has anyone else experienced this?
- What's the magic limit I'm hitting here?
- Most importantly: Why can't I see any error message anywhere? It seems to be silently dropping some info. Is this a bug that could be fixed?