https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/574155#M101516 <P>hi i am facing same issue here, just clarification this kv setting needs to change on heavy forwarder or search heads</P> Tue, 09 Nov 2021 10:02:32 GMT rahulg 2021-11-09T10:02:32Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460028#M79410 <P>Good morning all! I have a datasource that is valid JSON (I verified with python and jq). The entire event gets ingested, however a field that is at the tail end of the raw event does not show up in interesting fields. Splunk is parsing it correctly because if I look at the event, the key and values have the necessary color code indicating that they are KV.</P> <P>I would say that my even has roughly 26k c chars in it and it is less than 1mb. I looked in limits.conf and found nothing valuable.</P> <P>Any help is much appreciated</P> Sun, 07 Jun 2020 01:11:09 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460028#M79410 brent_weaver 2020-06-07T01:11:09Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460029#M79411 <P>Are you using Verbose Mode?</P> Tue, 19 May 2020 12:55:40 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460029#M79411 richgalloway 2020-05-19T12:55:40Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460030#M79412 <P>So, even if the _raw is not truncated, there is still a limit set in limits.conf for KV.</P> <PRE><CODE>[kv] maxchars = &lt;integer&gt; * Truncate _raw to this size and then do auto KV. * Default: 10240 characters </CODE></PRE> <P>What is I believe is happening in your case is that the _raw is being truncated before auto KV, so those fields at the end are not being extracted,</P> <P>Maybe you can increase that and try again?</P> <P>Source: <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D</A></P> Tue, 19 May 2020 19:58:09 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460030#M79412 ragedsparrow 2020-05-19T19:58:09Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460031#M79413 <P>THANK YOU for the great response, this totally makes sense. What, if any, are the adverse affects of this change? I assume probably more stress on RAM?</P> <P>Again, thank you for taking time to help me out here. </P> Wed, 20 May 2020 15:05:25 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460031#M79413 brent_weaver 2020-05-20T15:05:25Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460032#M79414 <P>I do think you would see a memory impact with an increase in the maxchars, so you'd want to weigh that out and possibly do some testing if you have the capability to. Right now, I have a use case that has made it necessary for me to increase it to 40,000 characters, we're doing some testing right now to see what adverse effects this may cause.</P> Thu, 21 May 2020 19:13:31 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460032#M79414 ragedsparrow 2020-05-21T19:13:31Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460033#M79415 <P>Hey there, turns out that I need to also make my setting to around 40k. What have your findings been thus far? Seems like a huge jump going 4x the default value. </P> Wed, 27 May 2020 18:52:10 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460033#M79415 brent_weaver 2020-05-27T18:52:10Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460034#M79416 <P>We ended up backing down to 20k after testing. We had a discussion with our users and determined that beyond 20k wasn't needed in their use case for field extraction. We haven't seen a performance impact in testing, however it's not real indicative of production load.</P> Thu, 28 May 2020 01:30:33 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460034#M79416 ragedsparrow 2020-05-28T01:30:33Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460035#M79417 <P>Awesome. I will follow suit in testing like you are. I have it set to 15360 (1.5x) the default vault and will keep an eye out but in my case we need it to be 40k+ to work.</P> Thu, 28 May 2020 12:44:40 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/460035#M79417 brent_weaver 2020-05-28T12:44:40Z https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/574155#M101516 <P>hi i am facing same issue here, just clarification this kv setting needs to change on heavy forwarder or search heads</P> Tue, 09 Nov 2021 10:02:32 GMT https://community.splunk.com/t5/Getting-Data-In/Large-JSON-events-not-showing-field-in-quot-Interesting-fields/m-p/574155#M101516 rahulg 2021-11-09T10:02:32Z