×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Adisharma
Engager
Member since: ‎06-30-2023
‎07-04-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎06-30-2023
Activity Feed
View All

Re: How to extract fields from a json in _raw?

by SplunkTrust in Splunk Search
‎03-20-2024 08:10 AM
‎03-20-2024 08:10 AM
One comment for this workaround. It extracts those fields as expected, BUT if any event is shorter than 10241 (or whatever you have in limits.conf/kv stanza) character then you have duplicate fields on those events! Basically you can try to remove duplicates e.g.  | mvexpand <field name> | dedup <field name> Usually this must done one field only. Anyhow this is just workaround until you can fix those values in limits.conf (kv stanza). See e.g. https://community.splunk.com/t5/Splunk-Search/Why-are-not-all-field-values-are-extracted-for-long-JSON-files/m-p/573446  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎07-04-2023 10:29 AM