Solved: JSON - options either limits/tuncates events OR ex...

mjm295 · ‎09-04-2016

Hi Guys

Pretty new to all this and struggling to understand all the other answers.

I have a cronjob which is extracting CMDB data from service now in json format at 1am each day. its over writes a file. My splunk is monitoring that file. I am expecting 463 results/events. with 90ish fields per event.

I have universal forwarder on a server with internet access which forwards straight to the indexers.

I have tried these settings in props.conf:]

KV_MODE = json
AUTO_KV_JSON = false
NO_BINARY_CHECK = 1
TRUNCATE = 0

BUT using this searches only give me 207 results/events.

So I then tried

INDEXED EXTRACTIONS = JSON
 KV_MODE  = none
 NO_BINARY_CHECK = 1
 TRUNCATE = 0

This gives me the expected 463 events, but the search is extracting the fields twice.

How do I get all the events, with only 1 extracted
is there some sort of LIMIT I can set

mjm295 · ‎09-04-2016

ok did some more reading and stuck with the second option but added

kvmode = none

to my search head props (for this 1 source,, now I am seeing all results, but only 1 set.

i need to understand the indexed extractions better...

View solution in original post

mjm295 · ‎09-04-2016

ok did some more reading and stuck with the second option but added

kvmode = none

to my search head props (for this 1 source,, now I am seeing all results, but only 1 set.

i need to understand the indexed extractions better...

JSON - options either limits/tuncates events OR extract twice.

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2