JSON Double Extraction

ehowardl3 · ‎01-23-2019

I've got an odd problem with JSON extracting twice. I've read the other posts on this and believe what I have should be working correctly, but it's not.

I have the following props on a universal forwarder, which is reading JSON data:

[Test:JSON]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = TimeGenerated
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true

I also have the following on the search head cluster in props:

[Test:JSON]
KV_MODE = none

As I understand it, since I have INDEXED_EXTRACTIONS = json set on the forwarder, it would make sense that I would have double field extractions IF I didn't set KV_MODE = none on the search heads. However, since I do have KV_MODE = none set on the search heads, why am I still getting double extractions? Also, there are no props set on the indexers.

Thanks in advance for any help.

ehowardl3 · ‎01-24-2019

I even tried copying and pasting the default _json props into the new test sourcetype and still get double extractions, even though the default _json sourcetype does not give me double extractions. This makes no sense to me.

JSON Double Extraction

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

JSON Double Extraction

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...