Hi Guys
Pretty new to all this and struggling to understand all the other answers.
I have a cronjob which is extracting CMDB data from service now in json format at 1am each day. its over writes a file. My splunk is monitoring that file. I am expecting 463 results/events. with 90ish fields per event.
I have universal forwarder on a server with internet access which forwards straight to the indexers.
I have tried these settings in props.conf:]
KV_MODE = json
AUTO_KV_JSON = false
NO_BINARY_CHECK = 1
TRUNCATE = 0
BUT using this searches only give me 207 results/events.
So I then tried
INDEXED EXTRACTIONS = JSON
KV_MODE = none
NO_BINARY_CHECK = 1
TRUNCATE = 0
This gives me the expected 463 events, but the search is extracting the fields twice.
How do I get all the events, with only 1 extracted
is there some sort of LIMIT I can set
↧