Getting Data In

When adding "KV_MODE=none" to props.conf, how come unwanted field extractions are not being stopped?

oversight
New Member

I am looking for assistance with unwanted fields extracted automatically.

I am using a custom sourcetype that I added with a field extraction based on regex. This regex extracts four fields: "thread_name", "log_level", "event_category", and "messages". This works correctly, except for when I click the "xx more fields" link under Interesting Fields in the sidebar of search. That is where I see the unwanted fields are listed, and when I examine an event with one of those fields, I can see the field/value pairs are listed under the Event. The four fields specified in my regex are extracted correctly; I just want to suppress the extraction of the "fields" from within the SQL queries.

Following the advice from another post, I added KV_MODE=none to props.conf on the forwarder and reindexed the data, but the issue still occurred. I then added KV_MODE=none to props.conf on the indexer, and reindexed the data, but I am still seeing key/value pairs extracted from the SQL queries.

Can you please advise me of any other recommendations to stop this from happening?

0 Karma
1 Solution

woodcock
Esteemed Legend

You need to deploy this to your Search Head tier, not the Indexers.

View solution in original post

0 Karma

oversight
New Member

I verified no data re-indexing is required. Thank you!

0 Karma

woodcock
Esteemed Legend

You need to deploy this to your Search Head tier, not the Indexers.

0 Karma

oversight
New Member

The deployment consists of a single server running Splunk Enterprise, and forwarders installed on various hosts. Can you confirm if need to deploy this at $SPLUNK_HOME/etc/apps/search/local/props.conf on the server ?

0 Karma

oversight
New Member

I deployed it to $SPLUNK_HOME/etc/apps/search/local/props.conf and it worked. Thank you!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The KV_MODE=none is the search time field extraction setting and should be set on the Search Head. No data re-indexing is required.

0 Karma

oversight
New Member

Thank you!

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Did you restart the Splunk service after making those props changes?

0 Karma

oversight
New Member

Yes. I restarted the Splunk service on the forwarder, and stopped/started Splunk on the indexer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...