Timeout executing grok "Value too large to output (347 bytes)!"

(nfplatzke) #1

OK I have been googling this and I can't figure it out at all. Every other person who is having this issue is dealing with large documents. The log messages I am indexing are pretty small and I'm still getting this error. I have tried everything I can think of but I can't fix this. Any help?

This is the exact message I'm getting:
Timeout executing grok '%{DATA:id} %{DATA:bucket} [%{S3WEBSITE_DATETIME:datetime}] %{IP:sourceIP} %{DATA:requester} %{DATA:requestID} %{DATA:operation} %{DATA:key} "%{DATA:requestURI}" %{DATA:status} %{DATA:error} %{INT:bytesSent} %{INT:objectSize} %{INT:totalTime} %{INT:turnAroundTime} "%{DATA:referrer}" "%{DATA:userAgent}" %{DATA:versionID}' against field 'message' with value 'Value too large to output (347 bytes)! First 255 chars are: 05b4cf0437aaff5ef42be6981904b7eb4f1e0d62074f2eacd31da3f1431fac87 websiteurl.com [15/Aug/2017:14:37:16 +0000] - 6FD33A5306435C5F WEBSITE.GET.OBJECT index.html "GET / HTTP/1.1" 304 - - 875 23 - "-" "Mozilla/5.0 (Macintosh; Intel Mac'!

(Magnus Bäck) #2

Don't use so many DATA patterns. They are very expensive. Use more exact patterns. For example, if your tokens are delimited by spaces you can just use NOTSPACE instead.

I don't think I've ever seen a case where it has been warranted to have more than one DATA or GREEDYDATA pattern in the same expression.

(nfplatzke) #3

I changed the patterns and this is no longer happening.

I feel like this should be called out in huge red text int he documentation of grok patterns.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.