monk-ee / SplunkAppforAWSBilling

8 stars 3 forks source link

Double Indexed Items - Remove KVMODE #6

Closed monk-ee closed 8 years ago

monk-ee commented 8 years ago

OK, that explains it; you are telling Splunk to extract json fields twice: once at index time ( INDEXED_EXTRACTIONS=json ) and once at search time ( KV_MODE=json ). Get rid of the KV_MODE setting.

[source::SplunkAppforAWSBilling_Import] INDEXED_EXTRACTIONS=json KV_MODE=json TIME_PREFIX=\"UsageStartDate\": TIME_FORMAT=%Y-%m-%d %H:%M:%S

monk-ee commented 8 years ago

This has been fixed in 2.0.6