Messages that contain more than 32766 bytes in a field


I have a general question.

What happens with messages that contain fields longer than 32766 bytes? They will cause the error saying something like "Could not index event to Elasticsearch" and "caused_by"=>{"type"=>"max_bytes_length_exceeded_exception", "reason"=>"max_bytes_length_exceeded_exception: bytes can be at most 32766 in length; got 276223"}.

But will it be tagged with any of _*failure tags (like _grokparsefailure, _jsonparsefailure, etc.)?

I know that if grok cannot prase the message according to it's filter the message will be tagged with _grokparsefailure, failure in parsing json will probably cause the message to be tagged with _jsonparsefailure and so on.

Is there any such a tag for messages that contain fields longer than the limit (32766 bytes)?

I could not find anywhere is the documentation the list of existing _*failure tags. Is there any?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.