[Oisf-users] issue with event size

Giuseppe Longo lists at glongo.it
Thu Jul 27 12:54:47 UTC 2017

Il giorno gio, 27/07/2017 alle 07.50 -0400, erik clark ha scritto:
> So, I am pushing events into splunk from suricata. Life was great
> before http_response_body and http_request_body. However, after
> turning them on, I got a 28k size event., which caused a malformed
> event to be pushed into splunk, making it unreadable, as our splunk
> has a limit of 10k for an event.  How can I limit the size of the
> http_response_body and http_request_body to the first 3k each? I am
> sure I have events bigger than this. Thanks!

The problem of limiting http_request_body/http_response_body is that if
the matching part is lost there is no more interest.

To have smaller events you can try to decrease
request-body-minimal-inspect-size and


More information about the Oisf-users mailing list