https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436120#M124316 <P>When the events are inserted via HEC running a fieldsummary DOES NOT show report field. When the same raw event is input via a file fieldsummary DOES show report field.</P> Tue, 05 Mar 2019 18:12:09 GMT simpkins1958 2019-03-05T18:12:09Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436117#M124313 <P>Have a field in our HEC input that is larger the 10,000 characters. When searching the data input from HEC the field is has not been extracted. It is in _raw and I can pull it out of there. Really would like to be able to have the field extracted.</P> <P>props.conf has:<BR /> TRUNCATE = 0</P> <P>I can manually input the same data via a text file and the large field (a blob of JSON text) is extracted and available fine. Just not when input via HEC.</P> <P>See screen shots<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6462i4FDF96ECC89C7C61/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 29 Jan 2019 16:30:23 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436117#M124313 simpkins1958 2019-01-29T16:30:23Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436118#M124314 <P>i'll ask the dumb question...is the report field in the "3 more fields" link?</P> Sun, 10 Feb 2019 23:51:53 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436118#M124314 maciep 2019-02-10T23:51:53Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436119#M124315 <P>No the report field is not listed.</P> Sun, 10 Feb 2019 23:56:37 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436119#M124315 simpkins1958 2019-02-10T23:56:37Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436120#M124316 <P>When the events are inserted via HEC running a fieldsummary DOES NOT show report field. When the same raw event is input via a file fieldsummary DOES show report field.</P> Tue, 05 Mar 2019 18:12:09 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436120#M124316 simpkins1958 2019-03-05T18:12:09Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436121#M124317 <P>Hi,</P> <P>Canyou increase the maxchars in limits.conf and try.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Limitsconf">https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Limitsconf</A></P> <P>Sid</P> Tue, 05 Mar 2019 18:22:24 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436121#M124317 sdchakraborty 2019-03-05T18:22:24Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436122#M124318 <P>If sending into HEC using the event not raw endpoint in JSON.<BR /> Set KV_MODE = JSON on the props for that sourcetype. NOT auto...<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot</A></P> Tue, 05 Mar 2019 18:39:05 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436122#M124318 starcher 2019-03-05T18:39:05Z https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436123#M124319 <P>Adding this to props.conf fixed the issue:</P> <P>[nm_MobileDiagnosticsReportData]<BR /> KV_MODE = json</P> Tue, 29 Sep 2020 23:29:53 GMT https://community.splunk.com/t5/Splunk-Search/HEC-large-field-value-not-extracted-but-is-in-raw/m-p/436123#M124319 simpkins1958 2020-09-29T23:29:53Z