Solved: Re: INDEXED_EXTRACTIONS = JSON limiting multivalue...

suarezry · ‎10-14-2015

See attached screenshot. It looks like the splunk table command displays up to a maximum of 10 values for the generalLedger.generalLedgerCode and caption columns. The raw data is in JSON:

{
   "billId":"3558",
   "beginDate":"2015-09-01T00:00:00",
   "endDate":"2015-10-01T00:00:00",
   "bodyLines":
   [
      {
           "caption":"Empress"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
       {
           "caption":"Empress Fuel"
           "generalLedger": {  "generalLedgerCode":"TRAF_NG_SHELL" }
       }
      (...and so on...)
   ]
}

How do I increase or remove this limit?

suarezry · ‎10-14-2015

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

View solution in original post

suarezry · ‎10-14-2015

I switched from "INDEXED_EXTRACTIONS = JSON" to "KV_MODE = json" and can confirm that the problem is fixed.

The problem is with INDEXED_EXTRACTIONS.

suarezry · ‎10-14-2015

Not really an answer, more of a workaround. The problem with JSON INDEXED_EXTRACTIONS still exists!

woodcock · ‎10-14-2015

How are you decoding the JSON? Show your inputs.conf and props.conf files.

suarezry · ‎10-14-2015

inputs.conf on forwarder:

[monitor:///some/path/to/directory]
disabled = false
index=facilities
crcSalt = \
sourcetype = facilities

props.conf on indexer:

[source::/some/path/to/directory/*]
INDEXED_EXTRACTIONS = JSON
TRUNCATE = 100000
SHOULD_LINEMERGE = false
MUST_BREAK_AFTER = ($)

INDEXED_EXTRACTIONS = JSON limiting multivalued fields to 10 values?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases