[graylog2] Re: GELF - max value size of _[additional field]
Hi, On Wednesday, 12 October 2016 05:55:48 UTC+2, au.ja...@gmail.com wrote: > > "...what client are you using the send these messages?" > Doesn't seem to matter. Reproducible from any HTTP, UDP client. > Please answer the question. HTTP, UDP etc. are different inputs on the Graylog side of things and there might also be a broken client in the game. Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/76fc5a05-63a8-4010-91db-28805e16ffc2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: GELF - max value size of _[additional field]
Hi, On Wednesday, 12 October 2016 01:31:36 UTC+2, au.ja...@gmail.com wrote: > > For verbosity, I've replaced large xml-based data with 'LargeMessage'. > Please attach a *complete message *which failed to be indexed correctly. Also provide the current index mappings of your Elasticsearch cluster (see https://www.elastic.co/guide/en/elasticsearch/reference/2.4/indices-get-mapping.html ): curl -XGET 'http://127.0.0.1:9200/_mapping?pretty' Cheers, Jochen -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6fc0ec08-64e7-4537-b388-383906f22f5a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: GELF - max value size of _[additional field]
"...what client are you using the send these messages?"
Doesn't seem to matter. Reproducible from any HTTP, UDP client.
On Wednesday, 12 October 2016 10:31:36 UTC+11, au.ja...@gmail.com wrote:
>
> Message format: GELF
> Protocol: Reproducible in both protocols tested: HTTP, UDP
>
> Sample message:
> {"short_message":"974cf326-536c-48dc-b3c6-b377f544138a", "host":"0.0.0.0",
> "timestamp":"1475818355.483", "_messageType":"Response",
> "_correlationId":"974cf326-536c-48dc-b3c6-b377f544138a",
> "full_message":"LargeMessage", "_testField":"LargeMessage"}
>
> For verbosity, I've replaced large xml-based data with 'LargeMessage'. As
> mentioned, I can store a large message using full_message, but not in
> _testField. Is there a change I can do to allow "_testField" (or any other
> additional field) to hold large messages?
>
>
> On Tuesday, 11 October 2016 20:16:51 UTC+11, Jochen Schalanda wrote:
>>
>> Hi,
>>
>> are there any error messages in the logs of your Graylog or Elasticsearch
>> nodes?
>>
>> Could you attach an example message to demonstrate the issue?
>>
>> What kind of input are you using in Graylog (GELF UDP, GELF TCP, or
>> something else) and what client are you using the send these messages?
>>
>> Cheers,
>> Jochen
>>
>> On Tuesday, 11 October 2016 05:58:51 UTC+2, au.ja...@gmail.com wrote:
>>>
>>> Reference: http://docs.graylog.org/en/2.1/pages/gelf.html
>>>
>>> Data is NOT logged when the value of _[additional field] in the GELF
>>> message exceeds some value (somewhere in the region of 40KBs).
>>>
>>> Is there some configuration I can amend to allow _[additional field] to
>>> hold larger data? I've tried updating max_chunk_size without success.
>>>
>>> Also, I'm aware that full_message can store large messages. Wondering
>>> if _[additional field] can be configured to as well. Cheers.
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/16cc1dc9-23d6-4bf5-ad30-b36c97ea475d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: GELF - max value size of _[additional field]
Message format: GELF
Protocol: Reproducible in both protocols tested: HTTP, UDP
Sample message:
{"short_message":"974cf326-536c-48dc-b3c6-b377f544138a", "host":"0.0.0.0",
"timestamp":"1475818355.483", "_messageType":"Response",
"_correlationId":"974cf326-536c-48dc-b3c6-b377f544138a",
"full_message":"LargeMessage", "_testField":"LargeMessage"}
For verbosity, I've replaced large xml-based data with 'LargeMessage'. As
mentioned, I can store a large message using full_message, but not in
_testField. Is there a change I can do to allow "_testField" (or any other
additional field) to hold large messages?
On Tuesday, 11 October 2016 20:16:51 UTC+11, Jochen Schalanda wrote:
>
> Hi,
>
> are there any error messages in the logs of your Graylog or Elasticsearch
> nodes?
>
> Could you attach an example message to demonstrate the issue?
>
> What kind of input are you using in Graylog (GELF UDP, GELF TCP, or
> something else) and what client are you using the send these messages?
>
> Cheers,
> Jochen
>
> On Tuesday, 11 October 2016 05:58:51 UTC+2, au.ja...@gmail.com wrote:
>>
>> Reference: http://docs.graylog.org/en/2.1/pages/gelf.html
>>
>> Data is NOT logged when the value of _[additional field] in the GELF
>> message exceeds some value (somewhere in the region of 40KBs).
>>
>> Is there some configuration I can amend to allow _[additional field] to
>> hold larger data? I've tried updating max_chunk_size without success.
>>
>> Also, I'm aware that full_message can store large messages. Wondering if
>> _[additional field] can be configured to as well. Cheers.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/d88eaa61-aa4b-42ba-be90-5a4cf3dcd123%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
[graylog2] Re: GELF - max value size of _[additional field]
Hi, are there any error messages in the logs of your Graylog or Elasticsearch nodes? Could you attach an example message to demonstrate the issue? What kind of input are you using in Graylog (GELF UDP, GELF TCP, or something else) and what client are you using the send these messages? Cheers, Jochen On Tuesday, 11 October 2016 05:58:51 UTC+2, au.ja...@gmail.com wrote: > > Reference: http://docs.graylog.org/en/2.1/pages/gelf.html > > Data is NOT logged when the value of _[additional field] in the GELF > message exceeds some value (somewhere in the region of 40KBs). > > Is there some configuration I can amend to allow _[additional field] to > hold larger data? I've tried updating max_chunk_size without success. > > Also, I'm aware that full_message can store large messages. Wondering if > _[additional field] can be configured to as well. Cheers. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5d380fef-24d8-47d3-a419-3bdeb3285305%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
