I have HEC messages that are indexed with the sourcetype _json . This is a build in Splunk source obviously and has the following configuration:
[_json]
pulldown_type = true
INDEXED_EXTRACTIONS = json
KV_MODE = none
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
I have a problem however with the length of the indexed fields, they are truncated to 1000 characters. I can't seem to figure out what field I should set to increase that limit.
To give a bit more context, the HEC messages that I receive are roughly structured as follows:
{
"id": "35298092067921924966859073695563957796481621929900441603",
"level": "INFO",
"message": "2020-02-27T16:33:10.666Z e18c650c-7d2d-4acc-bf9c-bfbb1fd0cec4 INFO {\"message\":\"Error while ... \"}"
}
So we actually have an extract field called message (and id and level ) etc, but that field can be rather long and is truncated at 1000 characters.
I've try to find this in the limits.conf documentation, but I cannot find a definitive value there. Can somebody help me out?
... View more
