Okay, so I followed your suggestion and broke my indices up:
so hopefully that clears the “1000 total fields exception”.
In so doing the above, I was finally able to track down the stinker thats causing the “ListBaseType” error:
This index is populated entirely by the Office365 & AzureAD collector found here @ddbnl
This is the extractor used for that input:
{
"extractors": [
{
"title": "Audit Log Extractor",
"extractor_type": "json",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "",
"extractor_config": {
"flatten": true,
"list_separator": ", ",
"kv_separator": "=",
"key_prefix": "",
"key_separator": "_",
"replace_key_whitespace": false,
"key_whitespace_replacement": "_"
},
"condition_type": "none",
"condition_value": ""
}
],
"version": "4.2.9"
}
Am I correct in thinking the answer lies somewhere in here? If so, honestly, I am not sure what to do to resolve. I assume “list_seperator” may have a part to play?
Thank you!