We have a number of scheduled searches that run every few minutes to search for events recently indexed that match certain criteria (e.g. events submitted by security devices). These events are enriched with data from threat intel feeds and then passed to a macro that uses the `collect` command to aggregate the events in a summary index called `alert_events`. Most of the events that pass through this process come out fine, but we've noticed recently that very large events are causing issues. For example, some of the events that a particular scheduled search is alerting on start out with 150 fields extracted at search time, but the event that arrives in `alert_events` index has only 100 fields, and the rest of the fields from the original event are just missing. If I run the scheduled search without the macro calling `collect`, I see all 150 fields, but if I apply the macro at the end of the search, the event indexed in `alert_events` has only 100 fields.
Is there a maximum size (or a maximum number of extracted fields) for events being passed to `collect`? I can't find any such limit documented on Splunk Docs.
I am also open to other explanations for why the results of a given search show 150 fields, and applying `|collect index=alert_events sourcetype=ouralerts source=ouralerts` results in indexed events with only 100 fields. Thanks!
↧