Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Missing events? JSON payload and indexed_extractions

swangertyler
Path Finder
‎09-23-2019 12:04 PM

We have events where the JSON payload has 100s of fields. When I table a field, we can see entries for some events but not others. However, if I spath the field beforehand, I then can discover it. We are using indexed_extractions? Is there a limit with this?

Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-23-2019 11:03 PM

@swangertyler

As your single JSON event has 100+ fields, so extracting first 100 fields is the default behaviour of the Splunk. You can set this number by updating limits.conf.

 limit = <integer>
    * The maximum number of fields that an automatic key-value field extraction
      (auto kv) can generate at search time.
    * If search-time field extractions are disabled (KV_MODE=none in props.conf)
      then this setting determines the number of index-time fields that will be
      returned.
    * The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
      'linecount', 'splunk_server', and 'splunk_server_group' do not count against
      this limit and will always be returned.
    * Increase this setting if, for example, you have indexed data with a large
      number of columns and want to ensure that searches display all fields from
      the data.
    * Default: 100

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D

If your JSON length is 5000+ character than you can also try by configuring extraction_cutoff of spath stanza. 

extraction_cutoff = <integer>
* For extract-all spath extraction mode, only apply extraction to the first
  <integer> number of bytes.
* Default: 5000

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎09-23-2019 11:03 PM

@swangertyler

As your single JSON event has 100+ fields, so extracting first 100 fields is the default behaviour of the Splunk. You can set this number by updating limits.conf.

 limit = <integer>
    * The maximum number of fields that an automatic key-value field extraction
      (auto kv) can generate at search time.
    * If search-time field extractions are disabled (KV_MODE=none in props.conf)
      then this setting determines the number of index-time fields that will be
      returned.
    * The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
      'linecount', 'splunk_server', and 'splunk_server_group' do not count against
      this limit and will always be returned.
    * Increase this setting if, for example, you have indexed data with a large
      number of columns and want to ensure that searches display all fields from
      the data.
    * Default: 100

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D

If your JSON length is 5000+ character than you can also try by configuring extraction_cutoff of spath stanza. 

extraction_cutoff = <integer>
* For extract-all spath extraction mode, only apply extraction to the first
  <integer> number of bytes.
* Default: 5000

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...