You may be able to do some light detection by using a regex in RouteOnContent (not RouteText, which evaluates lines individually) to capture the group and perform a length check before trying to parse the CEF format. However, if the spec states that the field cannot contain more than 1023 characters, there isn’t anything NiFi can do to change that though.
Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Jan 3, 2019, at 12:13 PM, Felix McPherson <[email protected]> wrote: > > Hi, > I'm using the ParseCEF processor to parse CEF message to Json format. > Unfortunately the ParseCEF processor fails for message/events that holds a > string in the Msg field that has more than 1023 character. According to the > CEF standard the Msg field in an event shall not exceed 1023 character. The > PARSECEF fails with: > > "Error > ParseCEF[id=...] Failed to parse... > ...as a CEF message; it does not conform to the CEF standard; routing to > failure. > > Any ideas on a workaround for this problem? I would prefer not having to > remove character in the Msg field string. > Regards,lj
