Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Search result JSON all fields not being extracted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search result JSON all fields not being extracted
I have a JSON within my search results whose fields are not being extracted all.
More specifically, a single field within that JSON is much longer than others - 40k characters, other are all under 50 characters. When I try to query any field which is above the long one in specific JSON, I do get a result. However, if I query any fields which is below the long one, no results are returned. Example:
{
"field1":"value1",
"field2":"value2",
"long_field":"............",
"field4":"value4"
}
I can query by field1 and field2 but not long_field and field4. Also, when I add "| fields *" to the query, only field1 and field2 would be among "Interesting fields" select or the results table.
The JSON itself is roughly 30-35 KB in size.
What could be the possible reason for such behavior?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You might be hitting the max character limits.
The default is near to 10K characters.
Please update the limits.conf.
Do create a limits.conf in your app local directory otherwise it will update the entire Splunk environment
Path - /splunk_home/etc/apps/your_app/local/limits.conf
Please try and let us know the outcome,
**limits.conf**
maxchars = <integer>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting it to 100.000 did not help (message is under 40.000 chars).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Set kv_mode=JSON on the sourcetype definition in props. Do not rely on kv_mode=AUTO
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried, did not help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is spath result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not quite sure what is the question here?
.conf25 Registration is OPEN!
Detecting Cross-Channel Fraud with Splunk
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
