Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

INDEXED_EXTRACTIONS = JSON limiting multivalued fields to 10 values?

suarezry
Builder
‎10-14-2015 07:02 AM

See attached screenshot. It looks like the splunk table command displays up to a maximum of 10 values for the generalLedger.generalLedgerCode and caption columns. The raw data is in JSON:

{
   "billId":"3558",
   "beginDate":"2015-09-01T00:00:00",
   "endDate":"2015-10-01T00:00:00",
   "bodyLines":
   [
      {
           "caption":"Empress"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
       {
           "caption":"Empress Fuel"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
      (...and so on...)
   ]
}

How do I increase or remove this limit?

See attached screenshot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

View solution in original post

Reply
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 12:53 PM

Not really an answer, more of a workaround. The problem with JSON INDEXED_EXTRACTIONS still exists!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 07:45 AM

How are you decoding the JSON? Show your inputs.conf and props.conf files.

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 07:54 AM

inputs.conf on forwarder:

[monitor:///some/path/to/directory]
disabled = false
index=facilities
crcSalt = \
sourcetype = facilities

props.conf on indexer:

[source::/some/path/to/directory/*]
INDEXED_EXTRACTIONS = JSON
TRUNCATE = 100000
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ($)
0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...