Hi rvaglid, I ran the suggested eval on a few entries and the truncation position is not consistent: 11170 12231 13721 11331 Like I mentioned above it doesn't appear that the truncation occurs due to length but rather a character sequence. ... View more

Hi, No , there isn't any log record about truncation due to length. The reason I set TRUNCATE = 0 was to eliminate any potential issue due to length. The intent is to set it to 30000 once I figure out why it gets truncated. All error messages are like the one below but with different values: ERROR JsonLineBreaker - JSON StreamId:18294845293918380307 had parsing error:Unexpected character while looking for value: 'r' - da ta_source="/opt/splunk/vne2splunk/log.json", data_host="splmx1.sample.com", data_sourcetype="_json" Some logs are parsed correctly like the one below: { "audit": "16489", "hostScore": "0", "name": "to8pt.sample.com", "macAddress": "", "os": "OS Undetermined", "vulnerabilities": "1", "netbiosName": "", "application": { "": "port - 5040", "id: 6119 Application: DCE/MS RPC Endpoint Mapper Interface (TCP) description: DCE/MS RPC Endpoint Mapper Interface. parent: 165": "port - 135", "id: 165 Service: DCE/MS RPC over TCP description: Microsoft RPC (Remote Procedure Call) over TCP is used by many services, including: DHCP Manager, DNS Administration, WINS Manager, Exchange Client/Server, Exchange Administrator and RPC. Third party applications, such as Symantec/Veritas BackupExec, may also make use of it. protocol: tcp transport: n/a parentid: n/a": "port - 135", "id: 8037 Service: IPv4 Layer 4 description: Generic Layer 3 / Layer 4 RAW socket access. protocol: ip transport: n/a parentid: n/a": "port - 0" }, "timeStamp": "2020-01-02 00:03:56", "ipAddress": "172.16.25.32", "id": "4128157", "network": "INT - Transports" } The only difference is that the "application " object varies in length. One example I have is in Splunk gets truncated at 14,532 character, but the original json has 15,071 characters. This leads me to believe that the issue is related to some character sequence but not sure which one. ... View more

It didn't work either. ... View more

I've tried also a few alternate line breakers with no success: LINE_BREAKER = ([\r\n]+)(\x7B(\x22))audit LINE_BREAKER = ([\r\n]+)(\x7B)audit LINE_BREAKER = ([\r\n]*)(?={) no line breaker and INDEXED_EXTRACTIONS = json Below is the beginning of the json (truncated here to keep the post clean) {"audit":"16463","hostScore":"0","name":"to8pt.sample.com","macAddress":"","os":"OS Undetermined", ... View more

I'm trying to get all src_ip for which the dest_ip in in one of the network ranges listed in network.csv. The lookup table consist of about 90 cidr ranges. ... View more