Search result JSON all fields not being extracted

pdamjanovic · ‎12-11-2019

I have a JSON within my search results whose fields are not being extracted all.
More specifically, a single field within that JSON is much longer than others - 40k characters, other are all under 50 characters. When I try to query any field which is above the long one in specific JSON, I do get a result. However, if I query any fields which is below the long one, no results are returned. Example:
{
"field1":"value1",
"field2":"value2",
"long_field":"............",
"field4":"value4"
}
I can query by field1 and field2 but not long_field and field4. Also, when I add "| fields *" to the query, only field1 and field2 would be among "Interesting fields" select or the results table.

The JSON itself is roughly 30-35 KB in size.

What could be the possible reason for such behavior?

dindu · ‎12-11-2019

Hi,

You might be hitting the max character limits.
The default is near to 10K characters.

Please update the limits.conf.
Do create a limits.conf in your app local directory otherwise it will update the entire Splunk environment
Path - /splunk_home/etc/apps/your_app/local/limits.conf

Please try and let us know the outcome,

 **limits.conf**
 maxchars = <integer>

pdamjanovic · ‎12-12-2019

Setting it to 100.000 did not help (message is under 40.000 chars).

starcher · ‎12-11-2019

Set kv_mode=JSON on the sourcetype definition in props. Do not rely on kv_mode=AUTO

pdamjanovic · ‎12-11-2019

Tried, did not help.

to4kawa · ‎12-11-2019

How is spath result?

pdamjanovic · ‎12-11-2019

I'm not quite sure what is the question here?

Search result JSON all fields not being extracted

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability