I have a JSON format log file.
When this is ingested by a single server installation of splunk (4.3.4), fields are correctly extracted at search time (and appear as interesting fields). The following stanaza is used in the props.conf
[alarm_log]
KV_MODE=JSON
TIME_FORMAT=%d/%m/%Y %T.%3N
TIME_PREFIX = LogTimeStamp":"
Moving to QA. I have:
1 Machine with a Heavy Forwader (stanza):
[alarm_log]
TIME_FORMAT=%d/%m/%Y %T.%3N
TIME_PREFIX = LogTimeStamp":"
1 Machine with the index and search head (stanza):
[alarm_log]
KV_MODE=JSON
When the exact same log file is ingested, the fields are not extracted, and I must use spath command in each search to force this extraction.
what am i missing?
... View more