I'm seeing two issues that I'm pretty sure are related, but I can't figure out. I have json events as data (using Splunk Enterprise 6.4.1). I am extracting 2 fields at index time, but also have KV_MODE=json so that the rest of the fields can be extracted at search time. This is causing the 2 index-time extracted fields to be duplicated in search results. Is there a way to tell splunk NOT to apply search-time extractions to fields that are extracted at index time?
Possibly a side-effect to the double extraction is that my calculated field which is based on one of the index-time extracted fields is not working. calculated fields based on the search-time extracted fields are working.
props.conf:
[foo_json]
KV_MODE=json
LINE_BREAKER=\s{4}\{(,[\n\r])\s{4}(\{.*)
SHOULD_LINEMERGE=FALSE
TIME_FORMAT=%Y-%m-%dT%H:%M:%S%Z
TIME_PREFIX=eventTime\"\s*:\s*\"
EVAL-sessionLenMB=sessionLength/1024/1024
EVAL-priority=substr(original_filename,8,1)
TRANSFORMS_add_sessionLength=index_sessionLen_field
TRANSFORMS_add_fileType=index_fileType_field
transforms.conf:
[index_sessionLen_field]
REGEX=sessionLength\"\s*:\s*(?\d+?)\",
FORMAT=sessionLength::$1
WRITE_META=true
[index_fileType_field]
REGEX=fileType\"\s*:\s*(?[\w\d]+?)\",
FORMAT=fileType::$1
WRITE_META=true
fields.conf:
[sessionLength]
INDEXED=true
[fileType]
INDEXED=true
`index=foo | table priority, sessionLength, sessionLengthMB, fileType` returns results like this:
priority sessionLength sessionLengthMB fileType
-------------------------------------------------------------------------------
4 11342 text
11342 text
-------------------------------------------------------------------------------
2 3212 text
3212 text
↧