Splunk Search

Cannot see full field list in Add Auto-Extracted Field window for a dataset in a datamodel

john_byun
Path Finder

I'm new to data models and have a very newbie question. We are using SplunkCloud and when I try to add an auto-extracted field to the dataset, I only see a partial lists of fields. How do I scroll down or go to next page when trying to add fields to the "Add Auto-Extracted Field" window?

0 Karma

codebuilder
SplunkTrust
SplunkTrust

By default, Splunk uses "kvmode=auto" within props.conf. This means that Splunk will attempt to automatically detect the file structure (xml, json, etc) and extract the fields. When it encounters properly structured data, it works pretty great. But if it can't detect what the data structure is, you'll get the results described.

Additionally, if you do not explicitly set kvmode in props.conf, but do use regex for field extraction, Splunk will attempt both. Meaning, it'll honor your regex, but also attempt to recognize the data structure and auto extract fields (which can lead to bad extractions and unnecessary parsing, etc.)

Either set kvmode=none if you are using regex, or kvmode= (xml,json). in props.conf
Note that any change to props.conf requires cycling Splunk.

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
  * none: if you want no field/value extraction to take place.
  * auto: extracts field/value pairs separated by equal signs.
  * auto_escaped: extracts fields/value pairs separated by equal signs and
                  honors \" and \\ as escaped sequences within quoted
                  values, e.g field="value with \"nested\" quotes"
  * multi: invokes the multikv search command to expand a tabular event into
           multiple events.
  * xml : automatically extracts fields from XML data.
  * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not
  overridden by automatic field/value extraction for a particular host,
  source, or source type, and also increases search performance.
* The 'xml' and 'json' modes do not extract any fields when used on data
  that isn't of the correct format (JSON or XML).
* Default: auto

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in...

----
An upvote would be appreciated and Accept Solution if it helps!

john_byun
Path Finder

We are in SplunkCloud and do not have access to any of the .conf files.

0 Karma

Fouad
Loves-to-Learn Lots

Instead of adjusting the props.conf directly, it is possible to do this with the GUI with settings-> sourcetype -> edit sourcetype -> Advanced. 

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Hrmmm, understood. I believe the issue is still the same, but unfortunately I do no have expertise with SplunkCloud, only on-prem clustering.

@acharlieh ?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...