JSON Double Extraction

ehowardl3 · ‎01-23-2019

I've got an odd problem with JSON extracting twice. I've read the other posts on this and believe what I have should be working correctly, but it's not.

I have the following props on a universal forwarder, which is reading JSON data:

[Test:JSON]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = TimeGenerated
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true

I also have the following on the search head cluster in props:

[Test:JSON]
KV_MODE = none

As I understand it, since I have INDEXED_EXTRACTIONS = json set on the forwarder, it would make sense that I would have double field extractions IF I didn't set KV_MODE = none on the search heads. However, since I do have KV_MODE = none set on the search heads, why am I still getting double extractions? Also, there are no props set on the indexers.

Thanks in advance for any help.

ehowardl3 · ‎01-24-2019

I even tried copying and pasting the default _json props into the new test sourcetype and still get double extractions, even though the default _json sourcetype does not give me double extractions. This makes no sense to me.

JSON Double Extraction

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

JSON Double Extraction

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...