https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141250#M28929 <P>Hello,</P> <P>We are trying to index long JSON files. Each JSON file is one event.<BR /> As performance is more important to us than storage space, we wish to extract all JSON fields at index-time.<BR /> We tried to use the INDEXED_EXTRACTIONS=JSON configuration, but it seems that it does not extract all the available JSON fields<BR /> (For example, there are many fields missing from the "Interesting Fields" section).</P> <P>We conducted some tests, and were successful in extracting ALL fields using KV_MODE=JSON , but it's no good for us because of the aforementioned performance issues.</P> <P>How can we make Splunk indexer extract all fields during index-time? Are we missing some kind of configuration regarding the depth of the JSON?</P> <P>Thanks</P> Wed, 29 Jul 2015 12:45:59 GMT moneybox 2015-07-29T12:45:59Z https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141250#M28929 <P>Hello,</P> <P>We are trying to index long JSON files. Each JSON file is one event.<BR /> As performance is more important to us than storage space, we wish to extract all JSON fields at index-time.<BR /> We tried to use the INDEXED_EXTRACTIONS=JSON configuration, but it seems that it does not extract all the available JSON fields<BR /> (For example, there are many fields missing from the "Interesting Fields" section).</P> <P>We conducted some tests, and were successful in extracting ALL fields using KV_MODE=JSON , but it's no good for us because of the aforementioned performance issues.</P> <P>How can we make Splunk indexer extract all fields during index-time? Are we missing some kind of configuration regarding the depth of the JSON?</P> <P>Thanks</P> Wed, 29 Jul 2015 12:45:59 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141250#M28929 moneybox 2015-07-29T12:45:59Z https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141251#M28930 <P>This is not really THE answer for your question, but have a look at the docs here <A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Configureindex-timefieldextraction">http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Configureindex-timefieldextraction</A></P> Thu, 30 Jul 2015 01:29:32 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141251#M28930 MuS 2015-07-30T01:29:32Z https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141252#M28931 <P>Just because fields are not in the <CODE>Interesting Fields</CODE> does not mean they have not been extracted; it just means that they are not "interesting"! You need to click on the <CODE>All Fields</CODE> link to pull up the fields popup and search for the "missing" fields there. In all likelihood, they are there (not really missing).</P> Mon, 02 Nov 2015 13:28:48 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-INDEXED-EXTRACTIONS-JSON-not-extract-all-fields-from/m-p/141252#M28931 woodcock 2015-11-02T13:28:48Z