Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What is the difference between kv_mode=json an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What will be the end result if we have kv_mode=json versus kv_mode=none in the props.conf? Iff you can explain with an example, that will b e really helpful.
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Knowledge Manager Manual:
none: Disables field extraction for the source, source type, or host
identified by the stanza name. You can use this setting to ensure that
other regexes that you have created are not overridden by automatic
field/value extraction for a particular source, source type, or host. You can
also use this setting to increase search performance by disabling
extraction for common but nonessential fields. We have some field
extraction examples at the end of this topic that demonstrate the disabling
of field extraction in different circumstances.
json: Use this setting if you intend to use the field extraction stanza to
extract fields from JSON data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the Knowledge Manager Manual:
none: Disables field extraction for the source, source type, or host
identified by the stanza name. You can use this setting to ensure that
other regexes that you have created are not overridden by automatic
field/value extraction for a particular source, source type, or host. You can
also use this setting to increase search performance by disabling
extraction for common but nonessential fields. We have some field
extraction examples at the end of this topic that demonstrate the disabling
of field extraction in different circumstances.
json: Use this setting if you intend to use the field extraction stanza to
extract fields from JSON data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%d %T
TIME_PREFIX = date
MAX_TIMESTAMP_LOOKAHEAD = 30
TRUNCATE = 0
TZ = UTC
NO_BINARY_CHECK=true
KV_MODE = none
LINE_BREAKER = }([\r\n]+|){
INDEXED_EXTRACTIONS = json
AUTO_KV_JSON = false
TRANSFORMS-hostoverriede = hostoverride
EXTRACT-KVPS = (?:args":")?(?<_KEY_1>[^"=]+)=(?:\")?(?<_VAL_1>(\d+|[^\"]+)
I am using that props only in heavy forwarder and the field extraction happening twice . No other props any where else.
What could be the issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be using any kind of field Aliases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
