Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

INDEXED_EXTRACTIONS = JSON limiting multivalued fields to 10 values?

suarezry
Builder
‎10-14-2015 07:02 AM

See attached screenshot. It looks like the splunk table command displays up to a maximum of 10 values for the generalLedger.generalLedgerCode and caption columns. The raw data is in JSON:

{
   "billId":"3558",
   "beginDate":"2015-09-01T00:00:00",
   "endDate":"2015-10-01T00:00:00",
   "bodyLines":
   [
      {
           "caption":"Empress"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
       {
           "caption":"Empress Fuel"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
      (...and so on...)
   ]
}

How do I increase or remove this limit?

See attached screenshot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

View solution in original post

Reply
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 12:53 PM

Not really an answer, more of a workaround. The problem with JSON INDEXED_EXTRACTIONS still exists!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 07:45 AM

How are you decoding the JSON? Show your inputs.conf and props.conf files.

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 07:54 AM

inputs.conf on forwarder:

[monitor:///some/path/to/directory]
disabled = false
index=facilities
crcSalt = \
sourcetype = facilities

props.conf on indexer:

[source::/some/path/to/directory/*]
INDEXED_EXTRACTIONS = JSON
TRUNCATE = 100000
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ($)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...