I do:
grok { match => { "message" => "%{GREEDYDATA:foo}" } }
and I would expect that message and foo are the same, but foo is only the first ~4000 chars of message. I don't believe this is an event size issue, as I'm testing it with stdin/sdtout, and message is correctly shown as about 6000 chars. But foo has only the first 4000.
Alex
I've manage to find the root cause, I was testing using stdin/stdout, cut/pasting my data into the command line. It seems that my cut/paste buffer was 4096 chars. When echo/cat the input, it works as expected.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.