Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

JSON - options either limits/tuncates events OR extract twice.

mjm295
Path Finder
‎09-04-2016 02:24 AM

Hi Guys

Pretty new to all this and struggling to understand all the other answers.

I have a cronjob which is extracting CMDB data from service now in json format at 1am each day. its over writes a file. My splunk is monitoring that file. I am expecting 463 results/events. with 90ish fields per event.

I have universal forwarder on a server with internet access which forwards straight to the indexers.

I have tried these settings in props.conf:]

KV_MODE = json
AUTO_KV_JSON = false
NO_BINARY_CHECK = 1
TRUNCATE = 0

BUT using this searches only give me 207 results/events.

So I then tried

INDEXED EXTRACTIONS = JSON
 KV_MODE  = none
 NO_BINARY_CHECK = 1
 TRUNCATE = 0

This gives me the expected 463 events, but the search is extracting the fields twice.

How do I get all the events, with only 1 extracted
is there some sort of LIMIT I can set

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mjm295
Path Finder
‎09-04-2016 03:12 PM

ok did some more reading and stuck with the second option but added 

kvmode = none

to my search head props (for this 1 source,, now I am seeing all results, but only 1 set.

i need to understand the indexed extractions better...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mjm295
Path Finder
‎09-04-2016 03:12 PM

ok did some more reading and stuck with the second option but added 

kvmode = none

to my search head props (for this 1 source,, now I am seeing all results, but only 1 set.

i need to understand the indexed extractions better...

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...