On a Raspberry Pi 3 armv7l GNU/Linux, INDEXED_EXTRACTIONS=JSON in the props.conf file results in unrecoverable JSON StreamId processing errors:

05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"
05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"
05-06-2020 17:52:07.836 +0100 ERROR JsonLineBreaker - JSON StreamId:8017092045127549753 had parsing error:Unexpected character: '5' - data_source="/opt/splunkforwarder/var/log/splunk/metrics.log", data_host="rpi3", data_sourcetype="json"

with the log expanding so quickly, it fills up the /opt/splunkforwarder/var/log/splunk/splunkd.log to maximum logrotate capacity.

Steps to duplicate bug:

1. Install splunkforwarder-8.0.3-a6754d8441bf-Linux-arm.tgz onto a Raspberry Pi 3.

2. Edit the /opt/splunkforwarder/etc/system/local/props.conf and add the following code:

   [default]
   SHOULD_LINEMERGE = false
   KV_MODE = none
   INDEXED_EXTRACTIONS=JSON
   NO_BINARY_CHECK = true
   TRUNCATE = 0

3. Add a local JSON file to the splunk file monitor with $SPLUNKHOME/bin/splunk add monitor /var/log/myvalidjsonfile.json -sourcetype json -host myhost -index myindex

4. Restart splunk.

5. Check the file tail -f $SPLUNKHOME/var/log/splunk/splunkd.log

6. Watch it scroll away off the screen! The errors above are reported for both metrics.log and the splunkd.log itself(!)

7. Stop splunk.

8. Edit props.conf again and remove the line INDEXED_EXTRACTIONS=JSON.

9. Restart splunk.

10. Your splunkd.log is back to normal again.