[Oisf-users] issue with event size

erik clark philosnef at gmail.com
Thu Jul 27 11:50:23 UTC 2017

So, I am pushing events into splunk from suricata. Life was great before
http_response_body and http_request_body. However, after turning them on, I
got a 28k size event., which caused a malformed event to be pushed into
splunk, making it unreadable, as our splunk has a limit of 10k for an
event.  How can I limit the size of the http_response_body and
http_request_body to the first 3k each? I am sure I have events bigger than
this. Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170727/d127346d/attachment.html>

More information about the Oisf-users mailing list