We've recently onboarded some Azure AAD logs and things have mostly gone nicely. One thing I did notice in my post-checks though was that we had quite a few warnings in the internal logs for line-breaking errors as a decent number of the events were exceeding the default 10k value.
Could we potentially look into setting the Truncate value for this sourcetype as well in props.conf (either to 0 or some higher value like 30-40K) to avoid this issue from occurring? This already appears to be done for a few of the other sourcetypes. Thanks!
Hi Team,
We've recently onboarded some Azure AAD logs and things have mostly gone nicely. One thing I did notice in my post-checks though was that we had quite a few warnings in the internal logs for line-breaking errors as a decent number of the events were exceeding the default 10k value.
Could we potentially look into setting the Truncate value for this sourcetype as well in props.conf (either to 0 or some higher value like 30-40K) to avoid this issue from occurring? This already appears to be done for a few of the other sourcetypes. Thanks!