How to prevent : "Value names cannot be longer than 255 characters, this value will always expand to the empty string;" #2297
Comments
|
Hello, @ehlo550 ! |
|
Hi @ikheifets-splunk, Regards |
|
I have the same issue.. For now I use "Ingest Actions" to remove them |
|
Hello, @ehlo550 @xenogloss ! Sorry for delay! This error But I will think probably we can make workaround for this case |
rjha-splunk
added
bug
|
Hi @ehlo550, the error you're seeing is generated by syslog-ng and cannot be controlled at the SC4S level, especially since it's currently expected behavior for syslog-ng to check strings ending with equal signs as value names. We have opened a GitHub issue in the syslog-ng repository for this. As a quick workaround, you might consider filtering out syslog-ng errors related to the 255-character rule. You can find more details here: https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-events-from-output. for example: |
|
Reopening as bug based on the discussion in syslog-ng/syslog-ng#5059 We need to fix parsing in In both these parsers there is no filter in front of |
|
fixed in SC4S 3.31.0 |
Was the issue replicated by support?
yes.
What is the sc4s version ?
2.48
Is there a pcap available?
yes.
Is the issue related to the environment of the customer or Software related issue?
it's related to syslog-ng/sc4s configuration
Describe the bug
When I am sending a specific message to sc4s I get sort of an "error" more of an informational message logged from sc4s that
the content that was replaced with XXXXXXXX is base64 encoded and ends with a = character in the original message.
how can i get rid of these error messages?
I am sure that some parser is used on this message and due to the value ending with a
=sc4s is trying to use everything before it as a key and everything after as value.I assume I simply need to add an app parser to stop this behaviour.
Belows message is just an example, so this is a general question and independent of sourcetype/vendor_product.
Splunk Support told me to open an issue here.
To Reproduce
Steps to reproduce the behavior:
echo "<13>Nov 08 12:59:54 1.1.1.1 f5req_forward_clone[-]: F5-REQ-VERSION:v1:date_time='2023-11-08 13:59:54',clientip='1.2.2.2',host='[host.example.com](https://host.example.com/)' ,http_host='[host.example.com](https://host.example.com/)',http_responsecode='200',http_username='makemelongenoughtotriggerAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABASE64CONTENTendingwitha=',http_user-agent='PHP-SOAP-CURL',http_referer='',http_xff='3.3.3.3',http_request_id='',cached='false',virtualname='something',virtualip='4.4.4.4',virtualport='443',http_method='POST',http_path='/bla/blub.asmx',http_query='',http_version='HTTP/1.1',http_response_size='10092',http_response_time='32',nodeip='4.4.4.4',nodeport='443',snatpool='/Common/SNAT_Something_Pool',snatip='6.6.6.6',snatport='34470',pool='/Common/blub.app/blapool8',req_type='response'" | nc -u -w 0 {SC4S_IP} 514The text was updated successfully, but these errors were encountered: