Hi Felix, As you noticed, the CEF standard indeed states that 1023 characters is the limit and I such when I wrote the underlying parser (ParCEFone) I enforced a length check and failed the parsing in case of exceeding that value.
Could I just truncate? Possibly... But what to do when the vendor sends text data on a field that the std defines as numeric? :-\ So the motto was: never try fixing messages during parsing, instead treat individual cases one by one basis. How to treat the odd bunches? Historically I used a shlex based jython Parser running from (ExecuteScript) to parse messages that failed CEF validation and then used logic to address particular issues. This approach poses a question: Why not use the jython shlex parser in the first place? 1. Because shlex may fail on valid CEF 2. Because ExecuteScript was slower than the native processor. Since the processor routes failures to a separate connector, I relied on the ParseCEF processor for everything that worked out of the box, but used quick and dirty jython parser where I could address the odd cases. Sad reality of dealing with vendor logs is that they constantly fail to follow the standards the "comply with" and honestly you can't blame them. Some of the fields length defy logic (a perfect example being the Request field that sets a limit well below the max URI length of most common browsers...) Hope this helps? André On Fri, Jan 4, 2019 at 7:13 AM Felix McPherson <ljungpip...@yahoo.se> wrote: > Hi, > I'm using the ParseCEF processor to parse CEF message to Json format. > Unfortunately the ParseCEF processor fails for message/events that holds a > string in the Msg field that has more than 1023 character. According to the > CEF standard the Msg field in an event shall not exceed 1023 character. The > PARSECEF fails with: > > "Error > ParseCEF[id=...] Failed to parse... > ...as a CEF message; it does not conform to the CEF standard; routing to > failure. > > Any ideas on a workaround for this problem? I would prefer not having to > remove character in the Msg field string. > Regards,lj >
