topic json kvm_mode and additional transforms in Getting Data In https://community.splunk.com/t5/Getting-Data-In/json-kvm-mode-and-additional-transforms/m-p/557416#M92263 <P>Please confirm/deny something for me because it's not clear from the docs.</P><P>Let's assume I have events containing both "unstructured" data and json. Something similar to the ones from <A href="https://community.splunk.com/t5/Getting-Data-In/JSON-transformations/m-p/370127#M67168" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/JSON-transformations/m-p/370127#M67168</A></P><P>Dec 1 22:29:42 127.0.0.1 1 2017-12-01 LOGSERVER 1292 - - {"event_type":"type_here","ipv4":"127.0.0.1","hostname":"pc_name.local","occured":"01-Dec-2017 22:24:34"}</P><P>If I set KV_MODE=json, I assume the fields from the json part should get parsed automaticaly. But what about the rest of the message? Can I still apply transforms to get additional fields parsed from the event?</P> Mon, 28 Jun 2021 12:24:48 GMT PickleRick 2021-06-28T12:24:48Z json kvm_mode and additional transforms https://community.splunk.com/t5/Getting-Data-In/json-kvm-mode-and-additional-transforms/m-p/557416#M92263 <P>Please confirm/deny something for me because it's not clear from the docs.</P><P>Let's assume I have events containing both "unstructured" data and json. Something similar to the ones from <A href="https://community.splunk.com/t5/Getting-Data-In/JSON-transformations/m-p/370127#M67168" target="_blank" rel="noopener">https://community.splunk.com/t5/Getting-Data-In/JSON-transformations/m-p/370127#M67168</A></P><P>Dec 1 22:29:42 127.0.0.1 1 2017-12-01 LOGSERVER 1292 - - {"event_type":"type_here","ipv4":"127.0.0.1","hostname":"pc_name.local","occured":"01-Dec-2017 22:24:34"}</P><P>If I set KV_MODE=json, I assume the fields from the json part should get parsed automaticaly. But what about the rest of the message? Can I still apply transforms to get additional fields parsed from the event?</P> Mon, 28 Jun 2021 12:24:48 GMT https://community.splunk.com/t5/Getting-Data-In/json-kvm-mode-and-additional-transforms/m-p/557416#M92263 PickleRick 2021-06-28T12:24:48Z Re: json kvm_mode and additional transforms https://community.splunk.com/t5/Getting-Data-In/json-kvm-mode-and-additional-transforms/m-p/557453#M92268 <P>Furthermore, do I understand properly that KV_MODE=json would be applied in search-time. So if I want to additionaly manipulate - for example - time and host which are indexed fields I'd have to make an app affecting ingest-time as well? So I'd need to have both search-time configuration on search-head(s) and ingest-time extractions on heavy-forwarder(s)?</P> Mon, 28 Jun 2021 16:19:30 GMT https://community.splunk.com/t5/Getting-Data-In/json-kvm-mode-and-additional-transforms/m-p/557453#M92268 PickleRick 2021-06-28T16:19:30Z