Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

When adding "KV_MODE=none" to props.conf, how come unwanted field extractions are not being stopped?

oversight
Explorer
‎03-04-2019 10:19 AM

I am looking for assistance with unwanted fields extracted automatically.

I am using a custom sourcetype that I added with a field extraction based on regex. This regex extracts four fields: "thread_name", "log_level", "event_category", and "messages". This works correctly, except for when I click the "xx more fields" link under Interesting Fields in the sidebar of search. That is where I see the unwanted fields are listed, and when I examine an event with one of those fields, I can see the field/value pairs are listed under the Event. The four fields specified in my regex are extracted correctly; I just want to suppress the extraction of the "fields" from within the SQL queries.

Following the advice from another post, I added KV_MODE=none to props.conf on the forwarder and reindexed the data, but the issue still occurred. I then added KV_MODE=none to props.conf on the indexer, and reindexed the data, but I am still seeing key/value pairs extracted from the SQL queries.

Can you please advise me of any other recommendations to stop this from happening?

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-04-2019 10:45 AM

You need to deploy this to your Search Head tier, not the Indexers.

View solution in original post

Reply
Solved! Jump to solution

oversight
Explorer
‎03-04-2019 12:25 PM

I verified no data re-indexing is required. Thank you!

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-04-2019 10:45 AM

You need to deploy this to your Search Head tier, not the Indexers.

Reply
Solved! Jump to solution

oversight
Explorer
‎03-04-2019 11:11 AM

The deployment consists of a single server running Splunk Enterprise, and forwarders installed on various hosts. Can you confirm if need to deploy this at $SPLUNK_HOME/etc/apps/search/local/props.conf on the server ?

0 Karma
Reply
Solved! Jump to solution

oversight
Explorer
‎03-04-2019 12:24 PM

I deployed it to $SPLUNK_HOME/etc/apps/search/local/props.conf and it worked. Thank you!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-04-2019 10:42 AM

The KV_MODE=none is the search time field extraction setting and should be set on the Search Head. No data re-indexing is required.

Reply
Solved! Jump to solution

oversight
Explorer
‎03-04-2019 12:25 PM

Thank you!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-04-2019 10:26 AM

Did you restart the Splunk service after making those props changes?

0 Karma
Reply
Solved! Jump to solution

oversight
Explorer
‎03-04-2019 10:31 AM

Yes. I restarted the Splunk service on the forwarder, and stopped/started Splunk on the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...