I have HeavyForwarder monitoring jason data.
i am getting JSON extraction normal on HF.
But if i search for same data on Search Head Json fields are extracting twice.
I have tried modifying props.conf with
i also tried props on SH with
AUTO_KV_JSON = false
but getting same result
You need these props.conf settings on your Search Head:
[my_sourcetype] KV_MODE = none AUTO_KV_JSON = false
Restart splunk on the search head. That's it. If it isn't working, double-check with btool.
You need this on your Forwarder (the server where the json file exists, probably not your HF):
You need this on your Search Heads:
[<YourSourcetypeHere>] KV_MODE=none AUTO_KV_JSON = false
We have Similar issue (json fields are extracted twice)
On Universal forwarder (7.0.3) the settings are like this
On Search Head(7.2.6), tried all combinations of below
[my_sourcetype] INDEXED_EXTRACTIONS=json KV_MODE=none AUTO_KV_JSON = false
Does anyone have a working solution? Also when we apply props on SH member, do we have to restart Splunk on it? We just did _debug/refresh.
Your settings are correct so it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using
_index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.