topic Re: JSON extracting multiple times? in Monitoring Splunk

JSON extracting multiple times?

vinayakwagh — Wed, 30 Sep 2020 00:04:30 GMT

I have HeavyForwarder monitoring jason data.
i am getting JSON extraction normal on HF.

But if i search for same data on Search Head Json fields are extracting twice.

I have tried modifying props.conf with
KV_MODE=none
INDEXED_EXTRACTION=json

i also tried props on SH with
AUTO_KV_JSON = false

but getting same result

Re: JSON extracting multiple times?

pruthvikrishnap — Wed, 30 Sep 2020 00:00:08 GMT

Hi Vinay,

try this, it worked for me.
in props.conf add below
[json_app]
INDEXED_EXTRACTIONS=json
KV_MODE=none

Re: JSON extracting multiple times?

woodcock — Thu, 11 Apr 2019 00:15:35 GMT

You need this on your Forwarder (the server where the json file exists, probably not your HF):

INDEXED_EXTRACTION=json
sourcetype=YourSourcetypeHere

You need this on your Search Heads:

[<YourSourcetypeHere>]
KV_MODE=none 
AUTO_KV_JSON = false

Re: JSON extracting multiple times?

vinayakwagh — Thu, 11 Apr 2019 19:29:18 GMT

Hi
in which props should i entered this stanza?

on SH or HF?

Re: JSON extracting multiple times?

thirusama — Mon, 26 Aug 2019 21:52:00 GMT

We have Similar issue (json fields are extracted twice)

On Universal forwarder (7.0.3) the settings are like this

 [my_sourcetype]
    SHOULD_LINEMERGE=true
    LINE_BREAKER=([\r\n]+)
    NO_BINARY_CHECK=true
    CHARSET=UTF-8
    INDEXED_EXTRACTIONS=json
    KV_MODE=none
    category=Structured
    description=JavaScript Object Notation format. For more information, visit http://json.org/
    disabled=false
    pulldown_type=true
    TIMESTAMP_FIELDS=timestamp

On Search Head(7.2.6), tried all combinations of below

[my_sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false

Does anyone have a working solution? Also when we apply props on SH member, do we have to restart Splunk on it? We just did _debug/refresh.

Re: JSON extracting multiple times?

masonmorales — Mon, 26 Aug 2019 21:54:32 GMT

Yes, restart Splunk.

Re: JSON extracting multiple times?

thirusama — Mon, 26 Aug 2019 21:58:18 GMT

Restarted, No luck.

Re: JSON extracting multiple times?

thirusama — Thu, 29 Aug 2019 17:46:21 GMT

@vinayakwagh Please if below post helps you. We had faced similar issue and is resolved now
https://answers.splunk.com/answers/768573/why-are-json-fields-extracted-and-displayed-twice.html

Re: JSON extracting multiple times?

woodcock — Sun, 01 Sep 2019 20:56:31 GMT

You need these props.conf settings on your Search Head:

[my_sourcetype]
KV_MODE = none
AUTO_KV_JSON = false

Restart splunk on the search head. That's it. If it isn't working, double-check with btool.

Re: JSON extracting multiple times?

sakthiganesht — Thu, 17 Oct 2019 12:50:37 GMT

I have similar issue like you, even after restart no luck
Could you please let me know if you got it fixed?

Re: JSON extracting multiple times?

woodcock — Thu, 17 Oct 2019 13:57:56 GMT

Your settings are correct so it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.