I'm new to data models and have a very newbie question. We are using SplunkCloud and when I try to add an auto-extracted field to the dataset, I only see a partial lists of fields. How do I scroll down or go to next page when trying to add fields to the "Add Auto-Extracted Field" window?
By default, Splunk uses "kvmode=auto" within props.conf. This means that Splunk will attempt to automatically detect the file structure (xml, json, etc) and extract the fields. When it encounters properly structured data, it works pretty great. But if it can't detect what the data structure is, you'll get the results described.
Additionally, if you do not explicitly set kvmode in props.conf, but do use regex for field extraction, Splunk will attempt both. Meaning, it'll honor your regex, but also attempt to recognize the data structure and auto extract fields (which can lead to bad extractions and unnecessary parsing, etc.)
Either set kvmode=none if you are using regex, or kvmode= (xml,json). in props.conf
Note that any change to props.conf requires cycling Splunk.
KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
* none: if you want no field/value extraction to take place.
* auto: extracts field/value pairs separated by equal signs.
* auto_escaped: extracts fields/value pairs separated by equal signs and
honors \" and \\ as escaped sequences within quoted
values, e.g field="value with \"nested\" quotes"
* multi: invokes the multikv search command to expand a tabular event into
multiple events.
* xml : automatically extracts fields from XML data.
* json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not
overridden by automatic field/value extraction for a particular host,
source, or source type, and also increases search performance.
* The 'xml' and 'json' modes do not extract any fields when used on data
that isn't of the correct format (JSON or XML).
* Default: auto
We are in SplunkCloud and do not have access to any of the .conf files.
Instead of adjusting the props.conf directly, it is possible to do this with the GUI with settings-> sourcetype -> edit sourcetype -> Advanced.
Hrmmm, understood. I believe the issue is still the same, but unfortunately I do no have expertise with SplunkCloud, only on-prem clustering.
@acharlieh ?