Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search result JSON all fields not being extracted

pdamjanovic
New Member
‎12-11-2019 04:31 AM

I have a JSON within my search results whose fields are not being extracted all.
More specifically, a single field within that JSON is much longer than others - 40k characters, other are all under 50 characters. When I try to query any field which is above the long one in specific JSON, I do get a result. However, if I query any fields which is below the long one, no results are returned. Example:
{
"field1":"value1",
"field2":"value2",
"long_field":"............",
"field4":"value4"
}
I can query by field1 and field2 but not long_field and field4. Also, when I add "| fields *" to the query, only field1 and field2 would be among "Interesting fields" select or the results table.

The JSON itself is roughly 30-35 KB in size.

What could be the possible reason for such behavior?

0 Karma
Reply

dindu
Contributor
‎12-11-2019 08:30 AM

Hi,

You might be hitting the max character limits.
The default is near to 10K characters.

Please update the limits.conf.
Do create a limits.conf in your app local directory otherwise it will update the entire Splunk environment
Path - /splunk_home/etc/apps/your_app/local/limits.conf

Please try and let us know the outcome,

 **limits.conf**
 maxchars = <integer>
0 Karma
Reply

pdamjanovic
New Member
‎12-12-2019 01:47 AM

Setting it to 100.000 did not help (message is under 40.000 chars).

0 Karma
Reply

starcher
Influencer
‎12-11-2019 05:58 AM

Set kv_mode=JSON on the sourcetype definition in props. Do not rely on kv_mode=AUTO

0 Karma
Reply

pdamjanovic
New Member
‎12-11-2019 06:36 AM

Tried, did not help.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-11-2019 05:49 AM

How is spath result?

0 Karma
Reply

pdamjanovic
New Member
‎12-11-2019 06:36 AM

I'm not quite sure what is the question here?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...