Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Automatic extraction of JSON fields doesn't work and have to use spath

Motoko89
Path Finder
‎05-01-2018 06:04 PM

I have a distributed Splunk deployment and need to index JSON data, 1 object per row. Objects are serialized using NewtonSoft.JSON .NET library. I already configured both INDEXED_EXTRACTIONS = json and KV_MODE = json for my custom source type in props.conf for deployment app of forwarders, indexers, and heads.

Yet, when I search, I still need to specify spath else no result is returned. Our event text length does not exceed 5000 chars (~ 2500 chars) so I don't think the problem here https://answers.splunk.com/answers/177410/why-are-only-some-json-fields-extracted-as-data-in.html affect us. What do I miss here? Any suggestion?

My props.conf

[myblob]
DATETIME_CONFIG = 
INDEXED_EXTRACTIONS = json
KV_MODE = json
AUTO_KV_JSON = true
NO_BINARY_CHECK = true
category = Structured
description = my blob description
disabled = false
TIME_PREFIX=\"EventInfo\.Time\":\s*
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%7NZ
0 Karma
Reply

ssadanala1
Contributor
‎05-01-2018 07:35 PM

You cant specify both INDEXED_EXTRACTIONS and KV_MODE in the props .
You need to specify either of one .

Try this

[myblob]
DATETIME_CONFIG =
KV_MODE = json
AUTO_KV_JSON = true
NO_BINARY_CHECK = true
category = Structured
description = my blob description
disabled = false
TIME_PREFIX=\"EventInfo.Time\":\s*
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%7NZ

0 Karma
Reply

Motoko89
Path Finder
‎05-02-2018 12:40 PM

So there are 3 places the props.conf go to: the forwarder, the indexer, and the head. Could you advice more specifically which one I should change into what? Do I keep AUTO_KV_JSON at all 3 places?

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-02-2018 01:25 PM

AUTO_KV_JSON is not needed anywhere, because it defaults to true anyway 😉

AUTO_KV_JSON = [true|false]
* Used for search-time field extractions only.
* Specifies whether to try json extraction automatically.
* Defaults to true.

If you use KV_MODE=json it will only go on the search head. And adding to this, your JSON format must be true and valid JSON otherwise Splunk will not do anything ...

* The 'xml' and 'json' modes will not extract any fields when used on data
  that isn't of the correct format (JSON or XML).

Hope this helps ...

cheers, MuS

Reply

xpac
SplunkTrust
SplunkTrust
‎05-02-2018 12:49 AM

...and you most likely want to use KV_MODE and not indexed extractions. Remember that in case 9d KV_MODE, this has to go on the search head, not on the indexer. In case of indexed extractions, it has to go on the indexer, and maybe on the search head (not sure about that).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...