Getting Data In
Highlighted

Are there inconsistencies in behavior with the need for INDEXED_EXTRACTIONS?

Ultra Champion

The admin class (lab) says that for json we need the following in the props.conf of the forwarder.

INDEXED_EXTRACTIONS=json

However, I know that for json all works fine even if INDEXED_EXTRACTIONS=json is only at the indexer level and maybe even that is not needed.

Recently at Why does the csv sourcetype work for upload but not via the forwarder?

We realized that INDEXED_EXTRACTIONS = csv is absolutely needed at the forwarder level.

Why is that? It seems that not all pre-defined sourcetypes are treated equally.

0 Karma
Highlighted

Re: Are there inconsistencies in behavior with the need for INDEXED_EXTRACTIONS?

Ultra Champion

A related one at Why would INDEXED_EXTRACTIONS=JSON in props.conf be resulting in duplicate values?

@mmodestino says -
- If you use INDEXED_EXTRACTIONS, the props.conf needs to be on the UF

The context is json.

0 Karma
Highlighted

Re: Are there inconsistencies in behavior with the need for INDEXED_EXTRACTIONS?

Splunk Employee
Splunk Employee

If you use INDEXEDEXTRACTIONS, you need to make sure you disable any search time field extractions for the same sourcetype.
If you specify INDEXED
EXTRACTIONS=json and KV_MODE=auto/json, for example, you will get duplicate values, because the same fields are extracted twice.

0 Karma