https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491134#M60473 <P>The log is not complete when viewing these weird extractions</P> <P>Thanks</P> Tue, 26 Nov 2019 08:13:29 GMT nathanluke86 2019-11-26T08:13:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491130#M60469 <P>Hello,</P> <P>We are extracting juniper logs using the Juniper addon and are getting random fields as pictured.</P> <P>Could someone explain why this might be happening</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/7985i90D02BCD962F7B47/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 19 Nov 2019 09:14:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491130#M60469 nathanluke86 2019-11-19T09:14:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491131#M60470 <P>Hi @nathanluke86,</P> <P>Are you on a distributed env ? If so where have you installed the ad-on ?</P> <P>Search time components of the TA should go on the search head to get the cleanest extractions possible.</P> <P>In your case it seems that the auto-extractions are grabbing lots of weird fields and polluting your field list. In order to disable it modify your local <CODE>props.conf</CODE> to include <CODE>KV_MODE = none</CODE> that way auto-extraction will be disabled.</P> <P>More info here:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsearch-time#Automatic_key-value_field_extraction_format">https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsearch-time#Automatic_key-value_field_extraction_format</A></P> <P>Cheers,<BR /> David</P> Tue, 19 Nov 2019 09:52:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491131#M60470 DavidHourani 2019-11-19T09:52:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491132#M60471 <P>Hi @DavidHourani </P> <P>We are in a distributed env. I have checked props.conf and KV_MODE is set to none. The TA is installed on all forwarders and Search heads.</P> <P>Thanks</P> Wed, 20 Nov 2019 10:00:08 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491132#M60471 nathanluke86 2019-11-20T10:00:08Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491133#M60472 <P>Are those fields showing over all time ? Click on one of the weird fields and check what the event looks like, wether its broken or not.</P> <P>Also check if there are other places where the sourcetype might be grabbing its config from use <CODE>btool</CODE> to verify that.</P> Wed, 20 Nov 2019 10:38:03 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491133#M60472 DavidHourani 2019-11-20T10:38:03Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491134#M60473 <P>The log is not complete when viewing these weird extractions</P> <P>Thanks</P> Tue, 26 Nov 2019 08:13:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Field-extractions-are-incomplete-for-juniper/m-p/491134#M60473 nathanluke86 2019-11-26T08:13:29Z