Hi, I am trying to ingest long JSON files into my Splunk index, where a record could contain more than 10000 characters. To prevent long records from getting truncated, I added a "TRUNCATE=0" into my props.conf, and the entire record was ingested into the index. All events are forwarded and stored in the index, but I'm having problems with fields that appear towards the end of the JSON records.  I'm currently testing with 2 files: File A has 382 records, of which 166 are long records.  File B has 252 records, of which all are long records.  All 634 events are returned with a simple search of the index, and I can see all fields in each event, regardless of how long the event is. However, not all fields are extracted and directly searchable. For example, one of the fields is called "name", and it appears towards the end of each JSON record. On the "Interesting fields" pane, under "name", it shows only a count of 216 events from File A, and none of the remaining 166 + 252 long events in Files A and B. This is the same for other fields that appear towards the end of each JSON record, but fields towards the beginning of the record show all 634 events. If I negate the 216 events, then these fields do not appear on the Fields pane at all. Also, while I'm not able to directly search for "name=<name in File B>", I can still select the field from the event and "add to search", and all 252 events would be returned. I'm not sure why these fields are not properly extracted even though they did not appear to be truncated. How can I extract them properly? Thank you.

I want to add the in_usage and out_usage value from the below table. for example, I want to add in_usage with out_usage and result should be as total. Likewise for other values. can someone give ideas for this. _time source status Avg metric_name 11/3/2021 5:02 Interface_Summary_Out out_usage 16.01833333 GigabitEthernet0/1 11/3/2021 5:00 Interface_Summary_In in_usage 5.555 GigabitEthernet0/1 11/3/2021 4:02 Interface_Summary_Out out_usage 17.085 GigabitEthernet0/1 11/3/2021 4:00 Interface_Summary_In in_usage 5.270833333 GigabitEthernet0/1 11/3/2021 3:02 Interface_Summary_Out out_usage 17.425 GigabitEthernet0/1 11/3/2021 3:00 Interface_Summary_In in_usage 5.48 GigabitEthernet0/1   Please refer the attached screenshot for you reference

I am running a query that gives me various percentile metric in different row, and I would like to format them in an easily readable table.  For example, here is the current outcome after I run the below query index=my_indexer | stats p50(startuptime) as "startuptime_p50", p90(startuptime) as "startuptime_p90", p99(startuptime) as "startuptime_p99", p50(render_time) as "render_time_p50", p90(render_time) as "render_time_p90", p99(render_time) as "render_time_p99", p50(foobar_time) as "foobar_time_p50", p90(foobar_time) as "foobar_time_p90", p99(foobar_time) as "foobar_time_p99", | transpose column                             row1 startuptime_p50         50 startuptime_p70         70 startuptime_p90         90 render_time_p50         51 render_time_p70         72 render_time_p90         93 foobar_time_p50         53 foobar_time_p70         74 foobar_time_p90         95 I would like to format the final table as follow (the column header is optional) Marker                P50         P70         P90 startup                50            70            90 render                 51            72            93 foobar                 53            74            95 thank you very much for your help

Hello All,  This may seem easy, but its been quite tedious. How can I create one field that has common values from two separate strings: Example:  Field 1=123_yyy  Field 2=777_x_123_0 Desired Results= New Field = 123  I have tried the below, but it only gives me false --- I know they dont match - I just want what is matching - any suggestions anyone?  | eval matched=if(like(Field1,"%".Field2."%"),"True","False")  

Hello, I would like to reach out for some help in creating a custom sourcetype (cloned from _json), I'm calling it "ibcapacity".  I've tried to edit the settings under this new sourcetype but my results are even more broken. The output of the file is formatted correctly in _json (the jq checks come back all good); but when using the _json default sourcetype, the Splunk event gets cut off at 349 lines (the entire file is 392 lines); and the other problem using the standard _json format is that its not fully "color coding" the KVs...but that could be due to the fact that the end brackets aren't in the Splunk event because it was cut off at 349 lines. So my solution was to try to create a custom sourcetype (cloned from _json), I'm calling it "ibcapacity".  I've tried to edit the settings under this new sourcetype but my results are even more broken. Here is the event when searched in the standard _json sourcetype: This is where the Splunk event gets cut off. However, the rest of the file has this at the end (past line 349), which doesn't show up in the Splunk event: ], "percent_used": 120, "role": "Grid Master", "total_objects": 529020 } ] Can this community please help to identify what the correct settings should be for my custom sourcetype, ibcapacity?  Why is the Splunk log getting cut off at 349 lines when using sourcetype=_json? Thank you.

good afternoon I'm currently running the trial Enterprise version on a workstation which (appears to) installed OK, i've installed a forwarder on a server, again which appears to have installed OK, however I can't seem to get the two to talk to each other (I can't add the forwarder in the Enterprise UI as it can't find it) I've searched for the problem on google etc but have only come across 1 post that relates to what I am experiencing - the solution didn't work lol. Would anyone happen to have any ideas or point me in the right direction please. TIA