AUTO_KV_JSON is not needed anywhere, because it defaults to true anyway 😉
AUTO_KV_JSON = [true|false]
* Used for search-time field extractions only.
* Specifies whether to try json extraction automatically.
* Defaults to true.
If you use KV_MODE=json it will only go on the search head. And adding to this, your JSON format must be true and valid JSON otherwise Splunk will not do anything ...
* The 'xml' and 'json' modes will not extract any fields when used on data
that isn't of the correct format (JSON or XML).
Hope this helps ...
cheers, MuS
... View more