Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When adding "KV_MODE=none" to props.conf, how come unwanted field extractions are not being stopped?

oversight
New Member
‎03-04-2019 10:19 AM

I am looking for assistance with unwanted fields extracted automatically.

I am using a custom sourcetype that I added with a field extraction based on regex. This regex extracts four fields: "thread_name", "log_level", "event_category", and "messages". This works correctly, except for when I click the "xx more fields" link under Interesting Fields in the sidebar of search. That is where I see the unwanted fields are listed, and when I examine an event with one of those fields, I can see the field/value pairs are listed under the Event. The four fields specified in my regex are extracted correctly; I just want to suppress the extraction of the "fields" from within the SQL queries.

Following the advice from another post, I added KV_MODE=none to props.conf on the forwarder and reindexed the data, but the issue still occurred. I then added KV_MODE=none to props.conf on the indexer, and reindexed the data, but I am still seeing key/value pairs extracted from the SQL queries.

Can you please advise me of any other recommendations to stop this from happening?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-04-2019 10:45 AM

You need to deploy this to your Search Head tier, not the Indexers.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

oversight
New Member
‎03-04-2019 12:25 PM

I verified no data re-indexing is required. Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-04-2019 10:45 AM

You need to deploy this to your Search Head tier, not the Indexers.

0 Karma
Reply
Solved! Jump to solution

oversight
New Member
‎03-04-2019 11:11 AM

The deployment consists of a single server running Splunk Enterprise, and forwarders installed on various hosts. Can you confirm if need to deploy this at $SPLUNK_HOME/etc/apps/search/local/props.conf on the server ?

0 Karma
Reply
Solved! Jump to solution

oversight
New Member
‎03-04-2019 12:24 PM

I deployed it to $SPLUNK_HOME/etc/apps/search/local/props.conf and it worked. Thank you!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-04-2019 10:42 AM

The KV_MODE=none is the search time field extraction setting and should be set on the Search Head. No data re-indexing is required.

0 Karma
Reply
Solved! Jump to solution

oversight
New Member
‎03-04-2019 12:25 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-04-2019 10:26 AM

Did you restart the Splunk service after making those props changes?

0 Karma
Reply
Solved! Jump to solution

oversight
New Member
‎03-04-2019 10:31 AM

Yes. I restarted the Splunk service on the forwarder, and stopped/started Splunk on the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...