All,
Will INDEXED_EXTRACTIONS = JSON perform the extractions on an All-in-One platform?
Here is my props.conf
The sourcetype was executed but none of the fields were extracted.
I can see the fields & values in _raw but they are not listed as fields.
Here is what I see with an adhoc search.
The time "field" within _raw is Jan 5, 2022
I did index the data on 2/22/22 but I am uncertain where the _time field came from. It matches nothing in the data.
props.conf (no transforms.conf)
# created on 2/22/2022 for a test case using INDEXED_EXTRACTIONS=JSON
# The non-highlighted settings are identical to a known working stanza for the exact same data
[allfields_index_extracted]
INDEXED_EXTRACTIONS = JSON
NO_BINARY_CHECK = true
LINE_BREAKER = ([\r\n]+)
EVENT_BREAKER = ([\r\n]+)
EVENT_BREAKER_ENABLE = true
SHOULD_LINEMERGE = false
TIME_PREFIX = ^"?{""?time""?:
TIME_FORMAT = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD = 17
category = Structured
description = INDEXED_EXTRACTIONS eq JSON
pulldown_type = 1
# Search Time stuff
# Disable search time field extractions since INDEXED_EXTRACTIONS=JSON
KV_MODE = none
AUTO_KV_JSON = false
disabled = false
Appreciate the help!
1 Solution
