Closed monk-ee closed 8 years ago
OK, that explains it; you are telling Splunk to extract json fields twice: once at index time ( INDEXED_EXTRACTIONS=json ) and once at search time ( KV_MODE=json ). Get rid of the KV_MODE setting.
[source::SplunkAppforAWSBilling_Import] INDEXED_EXTRACTIONS=json KV_MODE=json TIME_PREFIX=\"UsageStartDate\": TIME_FORMAT=%Y-%m-%d %H:%M:%S
This has been fixed in 2.0.6
OK, that explains it; you are telling Splunk to extract json fields twice: once at index time ( INDEXED_EXTRACTIONS=json ) and once at search time ( KV_MODE=json ). Get rid of the KV_MODE setting.
[source::SplunkAppforAWSBilling_Import] INDEXED_EXTRACTIONS=json KV_MODE=json TIME_PREFIX=\"UsageStartDate\": TIME_FORMAT=%Y-%m-%d %H:%M:%S