https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431985#M75607 <P>HI @ehowardl3 ,</P> <P>I am assuming that forwarder means Universal forwarder, in that case can you please apply below configuration on Universal Forwarder ?</P> <P>props.conf</P> <PRE><CODE>[test:json] INDEXED_EXTRACTIONS = json </CODE></PRE> Tue, 28 Aug 2018 09:18:49 GMT harsmarvania57 2018-08-28T09:18:49Z https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431984#M75606 <P>I have some json events that are fairly long (10K-20K characters). Most events come through fine, except for the fact that some events have an issue with some of the fields towards the end of the event not being automatically extracted. I ran a couple of searches and found that the maximum raw length of the events with no issues is 10,197, while the minimum raw length of the events with the extraction issues is 10,251. </P> <P>This led me to believe that I needed to bump up maxchars in the kv stanza in limits.conf, since it has a default limit of 10,240. However, upon making the change, the extraction issues remain. Here are my configurations:</P> <P>On the forwarder:</P> <P>props.conf:</P> <PRE><CODE>[test:json] KV_MODE = json TIMESTAMP_FIELDS = Date TRUNCATE = 0 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false </CODE></PRE> <P>On the search head:</P> <P>limits.conf:</P> <PRE><CODE>[kv] limit = 200 maxchars = 25000 maxcols = 1024 </CODE></PRE> <P>Any ideas?</P> <P>Thanks!<BR /> E</P> Mon, 27 Aug 2018 20:21:21 GMT https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431984#M75606 ehowardl3 2018-08-27T20:21:21Z https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431985#M75607 <P>HI @ehowardl3 ,</P> <P>I am assuming that forwarder means Universal forwarder, in that case can you please apply below configuration on Universal Forwarder ?</P> <P>props.conf</P> <PRE><CODE>[test:json] INDEXED_EXTRACTIONS = json </CODE></PRE> Tue, 28 Aug 2018 09:18:49 GMT https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431985#M75607 harsmarvania57 2018-08-28T09:18:49Z https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431986#M75608 <P>Thank you! This worked. I had tried that previously, however I had:</P> <PRE><CODE>[test:json] INDEXED_EXTRACTIONS = JSON </CODE></PRE> <P>I'm assuming the uppercase JSON was causing an issue.</P> Tue, 28 Aug 2018 12:11:37 GMT https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431986#M75608 ehowardl3 2018-08-28T12:11:37Z https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431987#M75609 <P>Great, it worked. I have converted my comment to answer so that you can accept/upvote it.</P> <P>Thanks,<BR /> Harshil</P> Tue, 28 Aug 2018 12:29:08 GMT https://community.splunk.com/t5/Getting-Data-In/Do-I-have-a-possible-KV-extraction-issue-on-the-universal/m-p/431987#M75609 harsmarvania57 2018-08-28T12:29:08Z