https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437418#M76296 <P>Also make sure you aren't in fast mode.</P> Tue, 12 Mar 2019 04:59:03 GMT chrisyounger 2019-03-12T04:59:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437416#M76294 <P>Hi all,</P> <P>Sorry I know this has been asked a million and one times here before but none of the previous answers seem to work for me.</P> <P>I'm writing a modular input to collect data from another system using it's API. The modular input is working, it's getting the data, it's passing it into Splunk via XML streaming. It even seems like Splunk recognises it's JSON data (I can search for it and the output is nicely formatted as JSON). But the keys and values aren't being extracted into fields - which is really annoying because I can't search the data via a key value immediately.</P> <P>I've tried adding "INDEXED_EXTRACTIONS = json" to the props.conf in default in the app on the heavy forwarder it's deployed on - but that's made no difference. I also tried adding "kv_mode = json" in the props.conf on the search head and that didn't help either.</P> <P>Ideally I'd like to make it so this modular input causes Splunk to extract the key-value pairs from the data as it's indexed.</P> <P>Is this possible? Or should I be attempting this in another way?</P> <P>Thanks<BR /> Eddie</P> Tue, 29 Sep 2020 23:40:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437416#M76294 marrette 2020-09-29T23:40:49Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437417#M76295 <P>Both of these attempts should be correct to extract keys. I recommend <CODE>KV_MODE = json</CODE> becuase Splunk's strength is that its a search-time platform. If its doing the nice formatting, then that means its valid JSON. Might be worth using btool to check the sourcetype is definitely <CODE>KV_MODE = json</CODE></P> Tue, 12 Mar 2019 03:32:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437417#M76295 chrisyounger 2019-03-12T03:32:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437418#M76296 <P>Also make sure you aren't in fast mode.</P> Tue, 12 Mar 2019 04:59:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437418#M76296 chrisyounger 2019-03-12T04:59:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437419#M76297 <P>Either you use <CODE>INDEXED_EXTRACTIONS</CODE> or <CODE>KV_MODE</CODE>, but not both. Set <CODE>KV_MODE = none</CODE> on your Search Head's props.conf if you really want to have indexed fields.</P> <P>Skalli</P> Tue, 12 Mar 2019 11:52:22 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-extract-keys-and-values-from-the-JSON-data-from-data/m-p/437419#M76297 skalliger 2019-03-12T11:52:22Z