[https://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html][1] shows this props.conf entry on the forwarder:
[json_app]
INDEXED_EXTRACTIONS=json
KV_MODE=none
However, this [https://kzhendev.wordpress.com/2015/01/19/consuming-json-with-splunk-in-two-simple-steps/][2] shows this being done on the indexer, with the forwarder just setting the sourcetype on the inputs.conf file. If I have a heavy forwarder taking in the JSON logs and forwarding them, can I just put this props.conf on the forwarder and be done there? I'd assume if the answer is yes that I need to nothing further on the indexer.
[1]: https://answers.splunk.com/answers/174939/why-are-my-json-fields-extracted-twice.html
[2]: https://kzhendev.wordpress.com/2015/01/19/consuming-json-with-splunk-in-two-simple-steps/
↧