Graylog & PaloAlto - Limit of total fields has been exceeded?

Im fairly new to Graylog and I’m very happy to work with this tool. But so maybe my question is quite easy to solve.

I’m trying to import PAN-OS 9.1 Logs into my Graylog 3.3 Installation. Therefore, I installed the Integrations Plugin and started working with the “Palo Alto Networks Input”.
When configuring my Firewall to send Logs to Graylog, I start receiving the following errormessages:

WARN [Messages] Failed to index message: index= id= error=<{“type”:“illegal_argument_exception”,“reason” :“Limit of total fields [1000] in index [graylog_499] has been exceeded”}>

Those messages do definitely not contain more than arround 120 Fields. In PaloAlto I configured the Logs to be sent alternately as IETF or BSD. There was no change.

Did anybody here faced the a similar Issue so far?

Kind Regards

See the below:

Thanks for your feedback. Your feedback helped me to understand the error message. Mistakenly I interpreted the Errormessage in that way that one incoming Logmessage contains more than 1000 Fields what is not the case. I’m going to split up the indexes as you suggested.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.