In my case I was sending TCP info (JSON) through API REST, I had to recreate my source type configuration like this: Name: Whatever Description: Whatever Destination App: Whatever Category: Whatever Indexed extractions: json Next in the Advanced TAB, you need to add this extra setting: KV_MODE = none The reason is that the json I send via API already contains the event attribute in the splunk expected way, so KV_MODE (key value mode) should be set to none, like this way you avoid double parsing the event json data. {
"sourcetype": "MyCustomSourceType",
"index": "index-name",
"event": {
"a": "aa",
"n": 1, .....
}
}
... View more