Hi,
I have a general question.
What happens with messages that contain fields longer than 32766 bytes? They will cause the error saying something like "Could not index event to Elasticsearch" and "caused_by"=>{"type"=>"max_bytes_length_exceeded_exception", "reason"=>"max_bytes_length_exceeded_exception: bytes can be at most 32766 in length; got 276223"}.
But will it be tagged with any of _*failure tags (like _grokparsefailure, _jsonparsefailure, etc.)?
I know that if grok cannot prase the message according to it's filter the message will be tagged with _grokparsefailure, failure in parsing json will probably cause the message to be tagged with _jsonparsefailure and so on.
Is there any such a tag for messages that contain fields longer than the limit (32766 bytes)?
I could not find anywhere is the documentation the list of existing _*failure tags. Is there any?
Thanks.