Splunk Search
Highlighted

Cannot see full field list in Add Auto-Extracted Field window for a dataset in a datamodel

Path Finder

I'm new to data models and have a very newbie question. We are using SplunkCloud and when I try to add an auto-extracted field to the dataset, I only see a partial lists of fields. How do I scroll down or go to next page when trying to add fields to the "Add Auto-Extracted Field" window?

0 Karma
Highlighted

Re: Cannot see full field list in Add Auto-Extracted Field window for a dataset in a datamodel

Motivator

By default, Splunk uses "kvmode=auto" within props.conf. This means that Splunk will attempt to automatically detect the file structure (xml, json, etc) and extract the fields. When it encounters properly structured data, it works pretty great. But if it can't detect what the data structure is, you'll get the results described.

Additionally, if you do not explicitly set kvmode in props.conf, but do use regex for field extraction, Splunk will attempt both. Meaning, it'll honor your regex, but also attempt to recognize the data structure and auto extract fields (which can lead to bad extractions and unnecessary parsing, etc.)

Either set kvmode=none if you are using regex, or kvmode= (xml,json). in props.conf
Note that any change to props.conf requires cycling Splunk.

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
  * none: if you want no field/value extraction to take place.
  * auto: extracts field/value pairs separated by equal signs.
  * auto_escaped: extracts fields/value pairs separated by equal signs and
                  honors \" and \\ as escaped sequences within quoted
                  values, e.g field="value with \"nested\" quotes"
  * multi: invokes the multikv search command to expand a tabular event into
           multiple events.
  * xml : automatically extracts fields from XML data.
  * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not
  overridden by automatic field/value extraction for a particular host,
  source, or source type, and also increases search performance.
* The 'xml' and 'json' modes do not extract any fields when used on data
  that isn't of the correct format (JSON or XML).
* Default: auto

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?utm_source=answers&utm_medium=in...

Highlighted

Re: Cannot see full field list in Add Auto-Extracted Field window for a dataset in a datamodel

Path Finder

We are in SplunkCloud and do not have access to any of the .conf files.

0 Karma
Highlighted

Re: Cannot see full field list in Add Auto-Extracted Field window for a dataset in a datamodel

Motivator

Hrmmm, understood. I believe the issue is still the same, but unfortunately I do no have expertise with SplunkCloud, only on-prem clustering.

@acharlieh ?

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.