Splunk Search

HEC large field value not extracted but is in _raw

simpkins1958
Contributor

Have a field in our HEC input that is larger the 10,000 characters. When searching the data input from HEC the field is has not been extracted. It is in _raw and I can pull it out of there. Really would like to be able to have the field extracted.

props.conf has:
TRUNCATE = 0

I can manually input the same data via a text file and the large field (a blob of JSON text) is extracted and available fine. Just not when input via HEC.

See screen shotsalt text

0 Karma
1 Solution

starcher
SplunkTrust
SplunkTrust

If sending into HEC using the event not raw endpoint in JSON.
Set KV_MODE = JSON on the props for that sourcetype. NOT auto...
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot

View solution in original post

0 Karma

starcher
SplunkTrust
SplunkTrust

If sending into HEC using the event not raw endpoint in JSON.
Set KV_MODE = JSON on the props for that sourcetype. NOT auto...
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf?splunkbot

0 Karma

simpkins1958
Contributor

Adding this to props.conf fixed the issue:

[nm_MobileDiagnosticsReportData]
KV_MODE = json

0 Karma

sdchakraborty
Contributor

Hi,

Canyou increase the maxchars in limits.conf and try.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Limitsconf

Sid

0 Karma

simpkins1958
Contributor

When the events are inserted via HEC running a fieldsummary DOES NOT show report field. When the same raw event is input via a file fieldsummary DOES show report field.

0 Karma

maciep
Champion

i'll ask the dumb question...is the report field in the "3 more fields" link?

0 Karma

simpkins1958
Contributor

No the report field is not listed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...