Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

JSON extracting multiple times?

vinayakwagh
Engager
‎04-10-2019 01:49 PM

I have HeavyForwarder monitoring jason data.
i am getting JSON extraction normal on HF.

But if i search for same data on Search Head Json fields are extracting twice.

I have tried modifying props.conf with
KV_MODE=none
INDEXED_EXTRACTION=json

i also tried props on SH with
AUTO_KV_JSON = false

but getting same result

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎09-01-2019 01:56 PM

You need these props.conf settings on your Search Head:

[my_sourcetype]
KV_MODE = none
AUTO_KV_JSON = false

Restart splunk on the search head. That's it. If it isn't working, double-check with btool.

0 Karma
Reply

thirusama
Path Finder
‎08-29-2019 10:46 AM

@vinayakwagh Please if below post helps you. We had faced similar issue and is resolved now
https://answers.splunk.com/answers/768573/why-are-json-fields-extracted-and-displayed-twice.html

0 Karma
Reply

woodcock
Esteemed Legend
‎04-10-2019 05:15 PM

You need this on your Forwarder (the server where the json file exists, probably not your HF):

INDEXED_EXTRACTION=json
sourcetype=YourSourcetypeHere

You need this on your Search Heads:

[<YourSourcetypeHere>]
KV_MODE=none 
AUTO_KV_JSON = false
Reply

thirusama
Path Finder
‎08-26-2019 02:52 PM

We have Similar issue (json fields are extracted twice)

On Universal forwarder (7.0.3) the settings are like this

 [my_sourcetype]
    SHOULD_LINEMERGE=true
    LINE_BREAKER=([\r\n]+)
    NO_BINARY_CHECK=true
    CHARSET=UTF-8
    INDEXED_EXTRACTIONS=json
    KV_MODE=none
    category=Structured
    description=JavaScript Object Notation format. For more information, visit http://json.org/
    disabled=false
    pulldown_type=true
    TIMESTAMP_FIELDS=timestamp

On Search Head(7.2.6), tried all combinations of below

[my_sourcetype]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON = false

Does anyone have a working solution? Also when we apply props on SH member, do we have to restart Splunk on it? We just did _debug/refresh.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-17-2019 06:57 AM

Your settings are correct so it must be something else. If you are doing a sourcetype override/overwrite, you must use the ORIGINAL value, NOT the new value. You must deploy your settings to the first full instance(s) of Splunk that handle the events (usually either the HF tier if you use one, or else your Indexer tier), restart all Splunk instances there, send in new events (old events will stay broken), then test using _index_earliest=-5m to be absolutely certain that you are only examining the newly indexed events.

0 Karma
Reply

masonmorales
Influencer
‎08-26-2019 02:54 PM

Yes, restart Splunk.

0 Karma
Reply

thirusama
Path Finder
‎08-26-2019 02:58 PM

Restarted, No luck.

0 Karma
Reply

sakthiganesht
New Member
‎10-17-2019 05:50 AM

I have similar issue like you, even after restart no luck
Could you please let me know if you got it fixed?

0 Karma
Reply

pruthvikrishnap
Contributor
‎04-10-2019 03:02 PM

Hi Vinay,

try this, it worked for me.
in props.conf add below
[json_app]
INDEXED_EXTRACTIONS=json
KV_MODE=none

0 Karma
Reply

vinayakwagh
Engager
‎04-11-2019 12:29 PM

Hi
in which props should i entered this stanza?

on SH or HF?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...