https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399874#M115897 <P>We fixed this by explicitly setting</P> <PRE><CODE>[json] KV_MODE = json </CODE></PRE> <P>It appears when unset and implicitly using KV mode, this 10k limit is hit.</P> Mon, 13 Aug 2018 17:29:15 GMT ecd 2018-08-13T17:29:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399871#M115894 <P>I'm using indexed field extraction to ingest JSON data over the HTTP Event Collector. </P> <P>It works great. Except, once the event is &gt; 10k bytes, the fields within the JSON are not indexed automatically. For example, if I submit a 15k event then search for it via <CODE>host</CODE>, I am able to find it. However, if I search for it via a field within the JSON, it does not come up.</P> <P>Is it possible to configure this setting? I haven't seen anything in the documentation yet. I'm still new to this particular functionality</P> <P>Thanks</P> Mon, 13 Aug 2018 03:07:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399871#M115894 ecd 2018-08-13T03:07:02Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399872#M115895 <P>Do the events appear complete when you search for them via "host"? Meaning, the JSON does not appear truncated in the event viewer. I would imagine that you are running up against the default TRUNCATE option for your sourcetype (in props.conf), which by default is set to 10000 bytes. I would try setting TRUNCATE for your sourcetype higher, and then coming back here if that does not work.</P> Mon, 13 Aug 2018 07:10:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399872#M115895 brian_rampley 2018-08-13T07:10:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399873#M115896 <P>The events do appear and are complete. We identified the issue - I'll add an answer for our fix</P> Mon, 13 Aug 2018 17:26:27 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399873#M115896 ecd 2018-08-13T17:26:27Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399874#M115897 <P>We fixed this by explicitly setting</P> <PRE><CODE>[json] KV_MODE = json </CODE></PRE> <P>It appears when unset and implicitly using KV mode, this 10k limit is hit.</P> Mon, 13 Aug 2018 17:29:15 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399874#M115897 ecd 2018-08-13T17:29:15Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399875#M115898 <P>Hi @ecd, which version of splunk you are using ? i am assuming this stanza was created in any props.conf on splunk that is hosting HEC tokens ?</P> Mon, 11 Feb 2019 12:40:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399875#M115898 nm1984splunk 2019-02-11T12:40:23Z https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399876#M115899 <P>Hi Ecd ,</P> <P>even i m facing the same issue. can u please tell in where you have configured?(indexder, HF,SH)</P> <P>Thanks in advance</P> Wed, 24 Jul 2019 06:29:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-the-JSON-index-field-extraction-failing-with-large-events/m-p/399876#M115899 vasanthi77 2019-07-24T06:29:59Z