https://community.splunk.com/t5/Splunk-Search/JSON-Log-Search-time-field-extraction-not-working-on-multi/m-p/40812#M9435 <P>I have a JSON format log file.</P> <P>When this is ingested by a single server installation of splunk (4.3.4), fields are correctly extracted at search time (and appear as interesting fields). The following stanaza is used in the props.conf<BR /> [alarm_log]<BR /> KV_MODE=JSON<BR /> TIME_FORMAT=%d/%m/%Y %T.%3N<BR /> TIME_PREFIX = LogTimeStamp":"</P> <P>Moving to QA. I have:<BR /> 1 Machine with a Heavy Forwader (stanza):<BR /> [alarm_log]<BR /> TIME_FORMAT=%d/%m/%Y %T.%3N<BR /> TIME_PREFIX = LogTimeStamp":"</P> <P>1 Machine with the index and search head (stanza):<BR /> [alarm_log]<BR /> KV_MODE=JSON</P> <P>When the exact same log file is ingested, the fields are not extracted, and I must use spath command in each search to force this extraction.</P> <P>what am i missing?</P> Mon, 28 Sep 2020 12:50:30 GMT rick_harrison 2020-09-28T12:50:30Z https://community.splunk.com/t5/Splunk-Search/JSON-Log-Search-time-field-extraction-not-working-on-multi/m-p/40812#M9435 <P>I have a JSON format log file.</P> <P>When this is ingested by a single server installation of splunk (4.3.4), fields are correctly extracted at search time (and appear as interesting fields). The following stanaza is used in the props.conf<BR /> [alarm_log]<BR /> KV_MODE=JSON<BR /> TIME_FORMAT=%d/%m/%Y %T.%3N<BR /> TIME_PREFIX = LogTimeStamp":"</P> <P>Moving to QA. I have:<BR /> 1 Machine with a Heavy Forwader (stanza):<BR /> [alarm_log]<BR /> TIME_FORMAT=%d/%m/%Y %T.%3N<BR /> TIME_PREFIX = LogTimeStamp":"</P> <P>1 Machine with the index and search head (stanza):<BR /> [alarm_log]<BR /> KV_MODE=JSON</P> <P>When the exact same log file is ingested, the fields are not extracted, and I must use spath command in each search to force this extraction.</P> <P>what am i missing?</P> Mon, 28 Sep 2020 12:50:30 GMT https://community.splunk.com/t5/Splunk-Search/JSON-Log-Search-time-field-extraction-not-working-on-multi/m-p/40812#M9435 rick_harrison 2020-09-28T12:50:30Z https://community.splunk.com/t5/Splunk-Search/JSON-Log-Search-time-field-extraction-not-working-on-multi/m-p/40813#M9436 <P>When you using a heavy forwarder, parsing happens on the forwarder. While I am pretty sure that the KV_MODE should apply only at search time, I wonder if you are missing something because it appears only on the search head / indexer.<BR /> I would try adding the <CODE>KV_MODE=JSON</CODE> to the heavy forwarder as well as the indexer/search head. It won't hurt to have it in two places. Try it and see if that works. There is really no down side.</P> <P>You might also consider installing the free Splunk on Splunk app (SoS). This would help you see all the places that might be affecting the configuration of the <CODE>alarm_log</CODE> sourcetype. Or try <CODE>btool</CODE></P> Mon, 28 Sep 2020 13:17:54 GMT https://community.splunk.com/t5/Splunk-Search/JSON-Log-Search-time-field-extraction-not-working-on-multi/m-p/40813#M9436 lguinn2 2020-09-28T13:17:54Z