Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

JSON field extraction beyond 5000 chars

Sahansral
Loves-to-Learn Lots
‎04-30-2021 12:18 AM

Hello,

we have a problem with long JSON events that have a length over 5000 chars  (under 5000 works fine).
The auto-field-extraction stops around the 5000 char limit, so fields beyond that are not recognized at all.

Also the JSON structure of these long events isn't formatted in the result list after a search.

We set extraction_cutoff in limits.conf to 10000 and restarted, but it didn't help. 
Is there another limit  we can set?

Thanks in advance!  

Labels (2)
Labels
0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-30-2021 06:41 AM

Hi,

 

How many fields do you have in your event? If it is more than 100 fields then you need to increase below settings in limits.conf on SH.

 

[kv]
limit = <integer>
* The maximum number of fields that an automatic key-value field extraction
  (auto kv) can generate at search time.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
  'linecount', 'splunk_server', and 'splunk_server_group' do not count against
  this limit and will always be returned.
* Increase this setting if, for example, you have data with a large
  number of columns and want to ensure that searches display all fields extracted
  from an automatic key-value field (auto kv) configuration.
* Set this value to 0 if you do not want to limit the number of fields
  that can be extracted at index time and search time.
* Default: 100

 

0 Karma
Reply

Sahansral
Loves-to-Learn Lots
‎04-30-2021 06:50 AM

The events have about 20 fields.   There's one very long field which contains a stack trace.

0 Karma
Reply

harsmarvania57
Ultra Champion
‎04-30-2021 06:54 AM

Is it possible you to provide sample event (Remove any sensitive data) and query which you are using?

0 Karma
Reply

Sahansral
Loves-to-Learn Lots
‎04-30-2021 02:44 AM

Hi Giuseppe,
I tried it, but it didn't solve the problem.
As far as I know, truncate belongs to line breaking and the events are indexed completely.
No truncation.
Only the json auto extraction is messed up.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-30-2021 05:18 AM

Hi @Sahansral,

could you share a sample of your logs?

Ciao.

Giuseppe

0 Karma
Reply

Sahansral
Loves-to-Learn Lots
‎05-03-2021 12:36 AM

Here one log event:
{"Timestamp":"2021-04-21T20:01:44.6168842+02:00","Message":"Es ist ein Fehler aufgetreten. ErrorMessage: Fehler beim Lesen der Einkaufsliste. PersId = 132, Monat 10, Jahr 2020; {@RequestInfo}","Level":"Error","Exception":{"Type":"xxxxxx.ooo.uuuuuuuu.zzz.zzzzzzzz.Integration.Exceptions.BargeldlosIntegratorException","Message":"Fehler beim Lesen der Einkaufsliste. PersId = 132, Monat 10, Jahr 2020","Source":"xxxxxx.ooo.uuuuuuuu.zzz.zzzzzzzz.Integration.01","StackTrace":" bei xxxxxx.ooo.uuuuuuuu.zzz.zzzzzzzz.Integration.BargeldlosIntegrator.GetEinkaufsliste(Int32 persId, Int32 jahr, Int32 monat)\r\n bei xxxxxx.ooo.uuuuuuuu.zzz.iii.zzzzzzzz.API.Controllers.BargeldlosController.GetEinkaufsliste(Int32 persId, Int32 jahr, Int32 monat)\r\n bei lambda_method(Closure , Object , Object[] )\r\n bei System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters)\r\n bei System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__6.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__6.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__5.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__6.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<CallOnActionExecutedAsync>d__6.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Filters.ActionFilterAttribute.<ExecuteActionFilterAsyncCore>d__5.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n bei System.Web.Http.Filters.AuthorizationFilterAttribute.<ExecuteAuthorizationFilterAsyncCore>d__3.MoveNext()\r\n--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---\r\n bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n bei System.Runtime.CompilerServices.TaskAwaiter.HandleNon[...]","TargetSite":"xxxxxx.ooo.uuuuuuuuuuuuuuuuuuuuu.llllDatenVerwaltung.Einkauf[] GetEinkaufsliste(Int32, Int32, Int32)","InnerException":{"Type":"System.NotImplementedException","Message":"Die Methode oder der Vorgang ist nicht implementiert.","Source":"xxxxxx.ooo.uuuuuuuuuuuuuuuuuuuuu.llllDatenVerwaltung.01","StackTrace":" bei xxxxxx.ooo.uuuuuuuuuuuuuuuuuuuuu.llllDatenVerwaltung.llllDatenManager.GetEinkaufsListe(Int32 persId, Int32 jahr, Int32 monat)\r\n bei xxxxxx.ooo.uuuuuuuu.zzz.zzzzzzzz.Integration.BargeldlosIntegrator.GetEinkaufsliste(Int32 persId, Int32 jahr, Int32 monat)","TargetSite":"System.Collections.Generic.IList`1[xxxxxx.ooo.uuuuuuuuuuuuuuuuuuuuu.llllDatenVerwaltung.Einkauf] GetEinkaufsListe(Int32, Int32, Int32)"},},"RequestInfo":{"RequestHost":"zzz.dev.dvint.de","RequestUri":"/iii.zzzzzzzz.API/api/v1/bargeldlos/einkaufsliste/132/2021/4","RequestMethod":"GET","RequestedController":"xxxxxx.ooo.uuuuuuuu.zzz.iii.zzzzzzzz.API.Controllers.BargeldlosController","RequestParams":{"persId":132,"jahr":2021,"monat":4}},"Stage":"Test","ProgramName":"iii.zzzzzzzz.API","Host":"zzz13350"}



I noticed when I use indexed_extractions=json all fields are extracted properly- When I use kv_mode=json then  the last correct extracted field is   exception.innerexception.targetside.
The search result isn't properly formatted for both (no json-structure that can be unfolded).
I could use indexed_extractions as an emergency solution, but I would prefer to use the more storage saving kv_mode=json.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-30-2021 01:07 AM

Hi @Sahansral,

did you tried to insert the option TRUNCATE = 1000000 in your props.conf?

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Ready to make your IT operations smarter and more efficient? Discover how to automate Splunk alerts with Red ...