I'm using indexed field extraction to ingest JSON data over the HTTP Event Collector.
It works great. Except, once the event is > 10k bytes, the fields within the JSON are not indexed automatically. For example, if I submit a 15k event then search for it via
host, I am able to find it. However, if I search for it via a field within the JSON, it does not come up.
Is it possible to configure this setting? I haven't seen anything in the documentation yet. I'm still new to this particular functionality
Do the events appear complete when you search for them via "host"? Meaning, the JSON does not appear truncated in the event viewer. I would imagine that you are running up against the default TRUNCATE option for your sourcetype (in props.conf), which by default is set to 10000 bytes. I would try setting TRUNCATE for your sourcetype higher, and then coming back here if that does not work.