Other Admin
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

KV_MODE=json

splunklearner
Communicator
‎01-16-2025 09:21 AM

Hello,

I wanted to know where I should keep this attribute KV_MODE=json to extract the json fields automatically? In Deployment server or manager node or deployer?

We have props.conf in a app in DS. DS push that app to manager node. And manager will distribute that app to peer nodes. Can I add this in that props.conf?

Or any alternative please suggest.

0 Karma
Reply

kiran_panchavat
Champion
‎01-16-2025 09:21 PM

@splunklearner 

To extract key-value pairs from JSON data during searches, configure props.conf with KV_MODE=JSON. If you have a Splunk deployment with a Search Head Cluster (SHC), use the deployer to push this configuration to all search heads. Keep in mind that props.conf on Universal Forwarders has limited functionality.

refer this 

https://www.aplura.com/assets/pdf/where_to_put_props.pdf 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

splunklearner
Communicator
‎01-16-2025 10:32 PM

Hi @kiran_panchavat ,

We already have props.conf for same sourcetype in a app in DS which we push to manager node and manager will distribute to indexers. 

Now my question is can I include my kv_mode in same props.conf and push it to deployer (so that it will push to SHs) but it has line breaker bla bla in it.

or

should I create new app in deployer and then in local new props.conf and push it to SHs?

And we need all data (all sourcetypes) to follow this KV_MODE=json... Is there any way I can give by default rather than specifying each sourcetype seperately?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-16-2025 11:14 PM
You can deploy the same props.conf to all nodes if you want. Each node use that part of it which have configuration which affects its behavior. Of course you must ensure that you don’t set twice e.g json handling with different way one for indexing and another for search. This leads you to see duplicate events.
0 Karma
Reply

splunklearner
Communicator
‎01-17-2025 10:44 AM

@isoutamo but if give same props.conf with KV_MODE=json and distribute it to both indexers and search heads, will it lead to duplication of events or is it fine? 

0 Karma
Reply

splunklearner
Communicator
‎01-16-2025 09:53 AM

Second point I didn't get you. We have a seperate syslog server where UF is installed and from there logs will be forwarded to our DS. what can I do now?

Do I need to give props.conf on both deployer and forwarder?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-16-2025 09:25 AM

Hi @splunklearner ,

the props.conf must be deployed to the Search Heads (using the SHC-Deployer if you have a cluster).

and to the Forwarder that ingest logs, using the DS.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...