Re: Search result JSON all fields not being extrac...

pdamjanovic · ‎12-11-2019

I have a JSON within my search results whose fields are not being extracted all.
More specifically, a single field within that JSON is much longer than others - 40k characters, other are all under 50 characters. When I try to query any field which is above the long one in specific JSON, I do get a result. However, if I query any fields which is below the long one, no results are returned. Example:
{
"field1":"value1",
"field2":"value2",
"long_field":"............",
"field4":"value4"
}
I can query by field1 and field2 but not long_field and field4. Also, when I add "| fields *" to the query, only field1 and field2 would be among "Interesting fields" select or the results table.

The JSON itself is roughly 30-35 KB in size.

What could be the possible reason for such behavior?

dindu · ‎12-11-2019

Hi,

You might be hitting the max character limits.
The default is near to 10K characters.

Please update the limits.conf.
Do create a limits.conf in your app local directory otherwise it will update the entire Splunk environment
Path - /splunk_home/etc/apps/your_app/local/limits.conf

Please try and let us know the outcome,

 **limits.conf**
 maxchars = <integer>

pdamjanovic · ‎12-12-2019

Setting it to 100.000 did not help (message is under 40.000 chars).

starcher · ‎12-11-2019

Set kv_mode=JSON on the sourcetype definition in props. Do not rely on kv_mode=AUTO

pdamjanovic · ‎12-11-2019

Tried, did not help.

to4kawa · ‎12-11-2019

How is spath result?

pdamjanovic · ‎12-11-2019

I'm not quite sure what is the question here?

Search result JSON all fields not being extracted

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM