I have a json file like below

{"env":"UAT","label":"jenkins-17887.api.v2.dm.btc","App":"dm-d-services","rlmtemplate":"f2_api_fed","lastupdate":2020-11-23 11:09:78:455,"region":"APAC"}{"env":"UAT","label":"jenkins-17687.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"}{"env":"UAT","label":"jenkins-18657.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"}{"env":"UAT","label":"jenkins-17637.api.v2.dm.btc","App":"dt-s-services","rlmtemplate":"f3_api_fed","lastupdate":2020-11-23 11:025:79:475,"region":"APAC"}

in splunk,

_raw contains valid json data for all events.

issue is all fields are multi valued containing two copies of the json object.

forwarding json data to splunk and props is installed on indexer not in heavy forwarder,

props.conf

[test_json]

INDEXED_EXTRACTIONS = JSON

KV_MODE = none

AUTO_KV_JSON = false

SHOULD_LINEMERGE = false

FYI , using splunk 8.0

tried by setting KV_MODE = JSON  but it is also not working