Sorry I know this has been asked a million and one times here before but none of the previous answers seem to work for me.
I'm writing a modular input to collect data from another system using it's API. The modular input is working, it's getting the data, it's passing it into Splunk via XML streaming. It even seems like Splunk recognises it's JSON data (I can search for it and the output is nicely formatted as JSON). But the keys and values aren't being extracted into fields - which is really annoying because I can't search the data via a key value immediately.
I've tried adding "INDEXED_EXTRACTIONS = json" to the props.conf in default in the app on the heavy forwarder it's deployed on - but that's made no difference. I also tried adding "kv_mode = json" in the props.conf on the search head and that didn't help either.
Ideally I'd like to make it so this modular input causes Splunk to extract the key-value pairs from the data as it's indexed.
Is this possible? Or should I be attempting this in another way?
Both of these attempts should be correct to extract keys. I recommend
KV_MODE = json becuase Splunk's strength is that its a search-time platform. If its doing the nice formatting, then that means its valid JSON. Might be worth using btool to check the sourcetype is definitely
KV_MODE = json