HTTP Responses and Requests > 32766 Not Able to be Analyzed
cailen opened this issue · 0 comments
cailen commented
Hope you are well!
I ran across a few (I'm sure non-specific to this project) issues this morning when gathering HTTP traffic where some of the really large returns for http_request_body_printable and http_response_body fail to index because they are larger than 32766. I saw a few options online for ignoring text fields above a certain limit, example:
{
"logs_template": {
"template": "logs*",
"mappings": {
"_default_": {
"_all": {
"enabled": false
},
"dynamic_templates": [
{
"notanalyzed": {
"match": "*",
"match_mapping_type": "string",
"mapping": {
"ignore_above": 512,
"type": "string",
"index": "not_analyzed",
"doc_values": true
}
}
}
]
}
}
}
}
I was looking at your template and was wondering how this could best fit in without ruining anything else. Thanks!