Hello, I have been struggling with something that probably is common sense to experts. Part of the Splunk messages that I deal with are mostly structured like the one pasted in the end [1]. The message is persisted full size, however, when it is part of some search result the "object" part which is JSON gets cut off to the following: {"objectName":"<some_string>" I know that there is some kind of default limitation that a field cannot exceed 10 000 characters and if it does it could end up like this, however, the problem is also observed for messages that have a total length of 6 000 characters. There must be something else that I currently miss. I also went through similar questions here that suggested enriching the search queries with a regex that will force the complete field extraction in the search results, like: | rex object=(?<object>.+)$ This does the job for testing purposes but I would like to find another solution because my searches are executed through the Splunk REST API, it is not an option to hardcode such regexes for multiple fields. I assume that the solution could be accomplished by a configuration on the Splunk side and I would really appreciate it if someone with more experience could take a look. In addition to the setup at my side, I have one search head and two indexers, the problem is observed no matter if I execute the search through the search head or directly on the indexers. Thank you in advance. Best Regards, Martin [1] sample message: formatVersion="<some_version>",
serverTimestamp="<some_timestamp>",
crtAccount="<some_string>",
crtApplication="<some_string>",
crtComponent="<some_string>",
crtTenantId="<some_string>",
crtPermissions="<some_string>",
crtHostname="<some_string>",
accountExt="<some_string>",
clientTimestamp="<some_timestamp>",
messageId="<some_string>",
category="<some_string>",
loggedByClass="<some_string>",
correlation_id="<some_string>",
ip_address="<some_string>",
username="<some_string>",
tenantId="<some_string>",
verb={"action":"update"},
"object="{
"objectName":"<some_string>",
"objectAttributs":{
"System details":{
"oldValue":"<some_string>",
"newValue":"<some_string>"
}
},
"auditedObject":{
"type":"<some_string>",
"id":{
"key":"<some_string>"
}
}
}
... View more