Timeout executing grok "Value too large to output (347 bytes)!"

OK I have been googling this and I can't figure it out at all. Every other person who is having this issue is dealing with large documents. The log messages I am indexing are pretty small and I'm still getting this error. I have tried everything I can think of but I can't fix this. Any help?

This is the exact message I'm getting:
Timeout executing grok '%{DATA:id} %{DATA:bucket} [%{S3WEBSITE_DATETIME:datetime}] %{IP:sourceIP} %{DATA:requester} %{DATA:requestID} %{DATA:operation} %{DATA:key} "%{DATA:requestURI}" %{DATA:status} %{DATA:error} %{INT:bytesSent} %{INT:objectSize} %{INT:totalTime} %{INT:turnAroundTime} "%{DATA:referrer}" "%{DATA:userAgent}" %{DATA:versionID}' against field 'message' with value 'Value too large to output (347 bytes)! First 255 chars are: 05b4cf0437aaff5ef42be6981904b7eb4f1e0d62074f2eacd31da3f1431fac87 websiteurl.com [15/Aug/2017:14:37:16 +0000] 162.158.78.78 - 6FD33A5306435C5F WEBSITE.GET.OBJECT index.html "GET / HTTP/1.1" 304 - - 875 23 - "-" "Mozilla/5.0 (Macintosh; Intel Mac'!

Don't use so many DATA patterns. They are very expensive. Use more exact patterns. For example, if your tokens are delimited by spaces you can just use NOTSPACE instead.

I don't think I've ever seen a case where it has been warranted to have more than one DATA or GREEDYDATA pattern in the same expression.

I changed the patterns and this is no longer happening.

I feel like this should be called out in huge red text int he documentation of grok patterns.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.