Hi,
I have data in the KV format, for example:
field1="100",field2="100:\"string\"",field3="string2=value3(name)"
I am trying to extract my events into key-value pairs myself without using KV_MODE. (because i have some issue with parts of the way it behaves)
So i configured KV_MODE to NONE and wrote my own regex using it with a REPORT stanza, and that worked really great for the most part.
Unfortunately there is a problem with big events, the extraction is cut off in the middle, around 10kb in.
The data is still there in it's raw form but at some point it simply not extracted into key-value pairs.
I had this problem with KV_MODE too but changing the 'kv' stanza in the limits.conf fixed that. (where the default for max characters in auto extraction is 10240)
Well, it doesn't fix the problem when using REPORT and i haven't found anything that will anywhere. (i hoped LOOKAHEAD in transforms would help but it failed)
The transforms stanza:
[keyvalue_mv]
REGEX = (\w+)=\"(.*?)(?
↧