Skip to content

Add 64 KB field size truncation known limitation for all connectors #14008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hassanchawiche merged 3 commits into from
Apr 8, 2026
+12 −0
Merged

Add 64 KB field size truncation known limitation for all connectors #14008

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7714b27
Add 64 KB field size truncation known limitation to Solutions/known_i…
v-krishnachi Apr 7, 2026
3f60ed6
Apply suggestion from @Copilot
v-krishnachi Apr 8, 2026
befe41c
Apply suggestions from code review
v-krishnachi Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions Solutions/known_issues.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,4 +63,16 @@ Note after deleting the function named in the workspace error message, re-search
However, there are limitations with Oracle database unified and syslog limitations, which may require to make changes at the Oracle side. For example, you might need to create and enable an audit policy to log all the events, restart the database, and add the syslog config.

If the rule is not giving appropriate results, it might be due to the complexity of the SQL injection patterns or the configuration of the Oracle servers. It’s recommended to revalidate the SQL injection patterns rule and adjust it according to the specific needs and configurations of the Oracle servers.
## Known Issue #10 - Data truncation due to 64 KB field size limit in Log Analytics Ingestion API
The Azure Monitor [Logs Ingestion API enforces a maximum field size of 64 KB](https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits#logs-ingestion-api). Any individual field value that exceeds this limit is **silently truncated** during ingestion — no error or warning is surfaced to the user in the portal, connector health, or DCR logs.

This affects data connectors (including Codeless Connector Framework / CCF-based connectors) that ingest data into custom Log Analytics tables via Data Collection Rules (DCRs). Fields carrying large payloads — such as `ScriptContentBytes`, `CommandLine`, `RequestBody`, or any free-text / encoded-content column — are most likely to be impacted.

**Impact:** Truncated fields may result in incomplete data for investigation, missed detections, or broken parsing logic that depends on the full field value.

**What you can do:**
1. Query the `DCRLogErrors` table in your workspace to rule out other ingestion failures related to your connector's DCR, but note that **silent field truncation will not appear there**.
2. Use a KQL query to identify potentially affected records using an approximate character-count heuristic, for example:

3. If the source system allows it, consider splitting or summarising large fields before they are sent to the connector.
4. Be aware that this is a **platform-level limitation** and cannot be resolved from the connector side. For the latest limits, refer to [Azure Monitor service limits](https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits#logs-ingestion-api).
Loading