Solved: Re: JSON events with INDEXED_EXTRACTIONS making ea...

aknsun · ‎08-22-2019

Hi,

I have an issue with JSON events having multivalue fields.

We are using scripted input to ingest the data. The scripted input resides on the collector.

I have the following defined in the props.conf on the collector and no where else

[sourcetype_abc]
INDEXED_EXTRACTIONS = json
KV_MODE = none

Going through a few previous posts, it's being advised that KV_MODE = none need to be placed on the Search Head. Can someone confirm this? Do I also need to make use of AUTO_KV_JSON = false?

So does it need to be as follows:
On Collector

[sourcetype_abc]
INDEXED_EXTRACTIONS = json

On SH
[sourcetype_abc]
KV_MODE = none

harsmarvania57 · ‎08-22-2019

Hi,

Yes configuration which you provided is correct.

On Collector

[sourcetype_abc]
INDEXED_EXTRACTIONS = json

On SH

[sourcetype_abc]
KV_MODE = none

View solution in original post

harsmarvania57 · ‎08-22-2019

Hi,

Yes configuration which you provided is correct.

On Collector

[sourcetype_abc]
INDEXED_EXTRACTIONS = json

On SH

[sourcetype_abc]
KV_MODE = none

aknsun · ‎08-22-2019

@harsmarvania57 Thanks. That worked.

JSON events with INDEXED_EXTRACTIONS making each extracted field multivalue

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?