We have the following config, which does index-time field extraction of **job** field, and search time field extraction of json events (KV_MODE=json).
fields.conf
[job]
INDEXED=true
transforms.conf
[my_job]
REGEX = \"job\":\"(?[^\"]+)\"
FORMAT = job::$1
WRITE_META = true
props.conf
[my_json]
KV_MODE = json
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TIME_PREFIX = \"time\":\"
TRANSFORMS-job = my_job
disabled = false
Not surprisingly the job field (only) gets extracted twice, so a search with "... | table job other_field" gives results like this:
job other_field
--- ------------
job1 other_value1
job1
job2 other_value2
job2
I have read here: http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configureindex-timefieldextraction that since "a field of the same name is extracted at search time" we should set fields.conf INDEXED=false but this did not seem to help, even for events that were indexed after the change. Also the fields.conf/job setting is shared by other non-json source types that are working fine.
Any suggestions?
↧