Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

INDEXED_EXTRACTIONS = JSON limiting multivalued fields to 10 values?

suarezry
Builder
‎10-14-2015 07:02 AM

See attached screenshot. It looks like the splunk table command displays up to a maximum of 10 values for the generalLedger.generalLedgerCode and caption columns. The raw data is in JSON:

{
   "billId":"3558",
   "beginDate":"2015-09-01T00:00:00",
   "endDate":"2015-10-01T00:00:00",
   "bodyLines":
   [
      {
           "caption":"Empress"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
       {
           "caption":"Empress Fuel"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
      (...and so on...)
   ]
}

How do I increase or remove this limit?

See attached screenshot.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

View solution in original post

Reply
Solved! Jump to solution
Solution

suarezry
Builder
‎10-14-2015 12:15 PM

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 12:53 PM

Not really an answer, more of a workaround. The problem with JSON INDEXED_EXTRACTIONS still exists!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-14-2015 07:45 AM

How are you decoding the JSON? Show your inputs.conf and props.conf files.

0 Karma
Reply
Solved! Jump to solution

suarezry
Builder
‎10-14-2015 07:54 AM

inputs.conf on forwarder:

[monitor:///some/path/to/directory]
disabled = false
index=facilities
crcSalt = \
sourcetype = facilities

props.conf on indexer:

[source::/some/path/to/directory/*]
INDEXED_EXTRACTIONS = JSON
TRUNCATE = 100000
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ($)
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...