Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Search result JSON all fields not being extrac...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search result JSON all fields not being extracted
pdamjanovic
New Member
12-11-2019
04:31 AM
I have a JSON within my search results whose fields are not being extracted all.
More specifically, a single field within that JSON is much longer than others - 40k characters, other are all under 50 characters. When I try to query any field which is above the long one in specific JSON, I do get a result. However, if I query any fields which is below the long one, no results are returned. Example:
{
"field1":"value1",
"field2":"value2",
"long_field":"............",
"field4":"value4"
}
I can query by field1 and field2 but not long_field and field4. Also, when I add "| fields *" to the query, only field1 and field2 would be among "Interesting fields" select or the results table.
The JSON itself is roughly 30-35 KB in size.
What could be the possible reason for such behavior?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dindu
Contributor
12-11-2019
08:30 AM
Hi,
You might be hitting the max character limits.
The default is near to 10K characters.
Please update the limits.conf.
Do create a limits.conf in your app local directory otherwise it will update the entire Splunk environment
Path - /splunk_home/etc/apps/your_app/local/limits.conf
Please try and let us know the outcome,
**limits.conf**
maxchars = <integer>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pdamjanovic
New Member
12-12-2019
01:47 AM
Setting it to 100.000 did not help (message is under 40.000 chars).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
starcher
Influencer
12-11-2019
05:58 AM
Set kv_mode=JSON on the sourcetype definition in props. Do not rely on kv_mode=AUTO
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pdamjanovic
New Member
12-11-2019
06:36 AM
Tried, did not help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
12-11-2019
05:49 AM
How is spath result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pdamjanovic
New Member
12-11-2019
06:36 AM
I'm not quite sure what is the question here?
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
