Hello, @sainag_splunk  I tried more things, but issue has still raised. So I checked our messages, I will try to apply something to props.conf I told my infra has 3 search heads, and 5 indexers. If I set the props.conf, the field kv_mode =json is applied to props.conf in both search head, UF? I mean this will be applied to UF, "<SPLUNK_HOME>/etc/deployment-app/<target>/local/props.conf" and 3 search head, all of "<SPLUNK_HOME>/system/local/props.conf"? How to apply something field to UF, search head?   --- I have tried to remove "EXTRACED_INDEXED=json", and add "kv_mode=json", but the results were shown as below: 24/10/28 16:33:57.000 { "Versions" : { "google_version" : "telemetry-json1.json", "ssd_vendor_name" : "Vendors", show more 257 rows 24/10/28 16:33:57.000 "0xbf4 INFO System shutdown: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbf4 INFO System state active: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbf1 INFO System shutdown: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbf1 INFO System state active: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbee INFO System shutdown: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbee INFO System state active: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "0xbec INFO System shutdown: 0h 0h 0h", host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 "dram_corrected_count" : 0, host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 ], host = <host> source = <source> sourcetype = my_json 24/10/28 16:33:57.000 { } host = <host> source = <source> sourcetype = my_json   I don't know why indexers receieved the data with line by line after first json parsing. LINE BREAKER is same with above.  Thank you. ... View more

Hi @kulrajatwal  How to check in hex chars? I have the same issues in my splunk, So I got the raw data file and process your command to it. But I don't know how to check the invalid chars in my raw data. Could you explain in detail? What is the splunk's accepted format? and how to fix in my json? ... View more

Hi, @sainag_splunk  I entered your search command on my splunk search app, the results were not shown. No results in your command from my source type, "my_json". I have confused how to resolve this issue, It may cause critical errors for analysing our data.  Is there anything to try to resolve the issue? I have tried that,  the data has line breaking after ':', so the parsing error was caused, in my think. I treid to change the value "LINE_BREAKER=[}|,]+[\r\n]+", this means if the end of line is ":\r\n", UF will don't break the line. But though changing the LINE_BREAKER value, the parsing errors are still raised.  24/10/23 12:02:22.193   10-23-2024 12:02:22.193 +0900 ERROR JsonLineBreaker [7804 structuredparsing] - JSON StreamId:15916142412051242565 had parsing error:Unexpected character: ':' - data_source="C:\splunk\<my_path>.bin", data_host="<my_host>", data_sourcetype="my_json" ... View more

Hi, @sainag_splunk  My problem is still remained. Sorry for that your solution didn't solve my problem...  I tried some cases more, will ask about I tried cases. By the way, I have another question for this issue. I tried to change the props.conf for json parsing, "KV_MODE=json" -> "KV_MODE=none" Add "INDEXED_EXTRACTIONS=json" But I think there are errors in parsing to json.  Why this errors was occurred?? My search query is index=_internal JsonLineBreaker NOT StreamedSearch And results show many below lines. 10-10-2024 13:05:55.318 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd 10-10-2024 13:05:55.315 +0900 ERROR JsonLineBreaker [2427 structuredparsing] - JSON StreamId:8181676460594335103 had parsing error:Unexpected character while looking for value: '}' - data_source="*****.json", data_host="****", data_sourcetype="my_json" host = **** source = /opt/splunkforwarder/var/log/splunk/splunkd.log sourcetype = splunkd ... I checked the json file, but there is no invalid characters in json. Also, I tried to parse json in Python or JsonParseWebEditor,,, there is no problems. Why this logs are remained?? ... View more

Dear @sainag_splunk  I tried using the below props.conf: DATETIME_CONFIG = KV_MODE = json LINE_BREAKER = (?:,)([\r\n]+)) NO_BINARY_CHECK = true TIMESTAMP_FIELDS = _time TIME_FORMAT = %2Y%m%d%H%M%S TRUNCATE = 0 category = Structured description = my json type without truncate disabled = false pulldown_type = 1 MAX_EVENTS=1000000 SHOULD_LINE_MERGE = false  But is was same. Umm... I wonder something for your answer,  I applied it deployer server, It will deploy to apps for all of Universal Forwarder.  So if I set the inputs.conf as a below: [batch://C:\splunk\my_data\*.json] index=myIndex sourcetype=my_json crcSalt=<SOURCE> move_policy = sinkhole   The app which address this inputs.conf has above props.conf. However, your answer's concept is not this applied, isn't it? How to apply your answer in my system..? I hope you help me in detail, I'm sorry for I'm begineer in splunk.   My system has 3 search heads, 1 is splunk app, 2 is cluster master and 3 is deployer. In this, 5 indexers.. So the client which is installed UF will send the data to 5 indexers with L/B, and We search in 3 search heads, the results are shown.   Please help me, Thank you. ... View more