I have HeavyForwarder monitoring jason data.
i am getting JSON extraction normal on HF.
But if i search for same data on Search Head Json fields are extracting twice.
I have tried modifying props.conf with
KV_MODE=none
INDEXED_EXTRACTION=json
i also tried props on SH with
AUTO_KV_JSON = false
but getting same result
You need these props.conf settings on your Search Head:
[my_sourcetype]
KV_MODE = none
AUTO_KV_JSON = false
Restart splunk on the search head. That's it. If it isn't working, double-check with btool.
@vinayakwagh Please if below post helps you. We had faced similar issue and is resolved now
https://answers.splunk.com/answers/768573/why-are-json-fields-extracted-and-displayed-twice.html
You need this on your Forwarder (the server where the json file exists, probably not your HF):
INDEXED_EXTRACTION=json
sourcetype=YourSourcetypeHere
You need this on your Search Heads:
[<YourSourcetypeHere>]
KV_MODE=none
AUTO_KV_JSON = false
We have Similar issue (json fields are extracted twice)
On Universal forwarder (7.0.3) the settings are like this
[my_sourcetype]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
TIMESTAMP_FIELDS=timestamp
On Search Head(7.2.6), tried all combinations of below
[my_sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false
Does anyone have a working solution? Also when we apply props on SH member, do we have to restart Splunk on it? We just did _debug/refresh.
Your settings are correct so it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m
to be absolutely certain that you are only examining the newly indexed events.
Yes, restart Splunk.
Restarted, No luck.
I have similar issue like you, even after restart no luck
Could you please let me know if you got it fixed?
Hi Vinay,
try this, it worked for me.
in props.conf add below
[json_app]
INDEXED_EXTRACTIONS=json
KV_MODE=none
Hi
in which props should i entered this stanza?
on SH or HF?