Hi,
thanks a lot for the fast response.
My solution is to define a kind of max field length by using the following rex:
rex field=uri max_match=0 "(?< uri >.{0,128})"
working search:
index=xxx sourcetype="xxx" earliest=-7d uri!="$FILE" host!="xxx"| regex uri="(?i)%[013456789].|%[a-f]."| rex field=uri max_match=0 "(?< uri >.{0,128})"| table _time, host, clientip, method, uri, status
works well, now the PDF is generated without any erros 🙂
sincerely oliver
Source: http://splunk-base.splunk.com/answers/84053/how-to-set-max-column-length
... View more