https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617427#M106604 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;that seems like a really obvious solution now you say it. Referencing the <A title="List of pretrained sourcetypes" href="https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Listofpretrainedsourcetypes" target="_self">docs</A> I think therefore I should trial:</P><UL><LI><SPAN>_json</SPAN></LI><LI>json_no_timestamp</LI></UL><P><SPAN>I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.</SPAN></P><P>&nbsp;</P> Mon, 17 Oct 2022 19:36:19 GMT NullZero 2022-10-17T19:36:19Z https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617379#M106595 <P>I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.&nbsp; I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script.</P> <P>issued command:</P> <P><FONT face="courier new,courier">./splunk add oneshot "/tmp/&lt;file.json&gt;" -sourcetype xxxx:xxxx -index &lt;index&gt;</FONT></P> <P>The command completes and the data is ingested.</P> <P>However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON.</P> <P>Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.</P> Wed, 19 Oct 2022 16:22:40 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617379#M106595 NullZero 2022-10-19T16:22:40Z https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617388#M106599 <P>The sourcetype specified in the oneshot command should be one that properly processes JSON.</P> Mon, 17 Oct 2022 16:55:14 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617388#M106599 richgalloway 2022-10-17T16:55:14Z https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617427#M106604 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;that seems like a really obvious solution now you say it. Referencing the <A title="List of pretrained sourcetypes" href="https://docs.splunk.com/Documentation/Splunk/9.0.1/Data/Listofpretrainedsourcetypes" target="_self">docs</A> I think therefore I should trial:</P><UL><LI><SPAN>_json</SPAN></LI><LI>json_no_timestamp</LI></UL><P><SPAN>I appreciate the feedback and I will let you and the community know. The obvious drawback here is that you can't use a custom sourcetype per the client environment but I suppose oneshot is not designed for scale and batch or monitor should be used for the sustainable solution.</SPAN></P><P>&nbsp;</P> Mon, 17 Oct 2022 19:36:19 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617427#M106604 NullZero 2022-10-17T19:36:19Z https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617533#M106618 <P>The following did ingest the data as JSON, and provide KV pairs:</P><P><FONT face="courier new,courier"><SPAN>.</SPAN><SPAN>/splunk add oneshot "/tmp/&lt;file.json&gt;" -sourcetype _json -index &lt;index&gt;</SPAN></FONT></P> Tue, 18 Oct 2022 14:03:55 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/617533#M106618 NullZero 2022-10-18T14:03:55Z https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/698451#M115792 <P>We need to keep in mind that KV_MODE applies to search time only and the field extractons ae best to be done at search time.&nbsp; Therefore, at index time if you have the following parameters set you should be good.<BR /><BR /></P><P>props.conf</P><P>[sourcetypename]<BR />LINE_BREAKER<BR />TIME_PREFIX<BR />MAX_TIMESTAMP_LOOKAHEAD<BR />TIME_FORMAT<BR />TRUNCATE<BR />SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false<BR />NO_BINARY_CHECK = true&nbsp;</P> Sat, 07 Sep 2024 16:27:21 GMT https://community.splunk.com/t5/Getting-Data-In/Help-with-oneshot-json-Why-is-kvmode-incorrect/m-p/698451#M115792 anwarmian 2024-09-07T16:27:21Z