Solved: HEC large field value not extracted but is in _raw

simpkins1958 · ‎01-29-2019

Have a field in our HEC input that is larger the 10,000 characters. When searching the data input from HEC the field is has not been extracted. It is in _raw and I can pull it out of there. Really would like to be able to have the field extracted.

props.conf has:
TRUNCATE = 0

I can manually input the same data via a text file and the large field (a blob of JSON text) is extracted and available fine. Just not when input via HEC.

See screen shots

starcher · ‎03-05-2019

If sending into HEC using the event not raw endpoint in JSON.
Set KV_MODE = JSON on the props for that sourcetype. NOT auto...
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot

View solution in original post

starcher · ‎03-05-2019

If sending into HEC using the event not raw endpoint in JSON.
Set KV_MODE = JSON on the props for that sourcetype. NOT auto...
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot

simpkins1958 · ‎03-05-2019

Adding this to props.conf fixed the issue:

[nm_MobileDiagnosticsReportData]
KV_MODE = json

sdchakraborty · ‎03-05-2019

Hi,

Canyou increase the maxchars in limits.conf and try.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Limitsconf

Sid

simpkins1958 · ‎03-05-2019

When the events are inserted via HEC running a fieldsummary DOES NOT show report field. When the same raw event is input via a file fieldsummary DOES show report field.

maciep · ‎02-10-2019

i'll ask the dumb question...is the report field in the "3 more fields" link?

simpkins1958 · ‎02-10-2019

No the report field is not listed.

HEC large field value not extracted but is in _raw

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update