I have a new data source that extracts quite well using KV_mode = auto (or KV_Mode=json).
The data itself is a simple KV pair: "host:" "host-value"
I would think that Splunk would pick up on the fact that there's a host field already extracting with the KV mode. But it seems to interfere with the "constant value" set for host field value from the "Add Data" GUI.
I can also set the inputs stanza manually, but I see dual entries for my host values for each event. host value 1 = actual_host_in_the_data and host value 2 = my_full_splunk_instance.
I tried setting a host override using a TRANSFORMS, but nothing changes. The only thing I can think of is that the KV mode is an index time extraction, and so is TRANSFORMS. Trying to overwrite a field that doesnt exist yet at index-time isnt working.
Thoughts?
↧