https://community.splunk.com/t5/Getting-Data-In/JSON-events-duplicate-extractions/m-p/579416#M102290 <P>I've got a log file that I am monitoring and where I am using a props.conf on the UF to monitor. I'm using the following settings:</P><P>UF - props.conf:</P><P>[my_sourcetype]</P><P>INDEXED_EXTRACTIONS = JSON</P><P>&nbsp;</P><P>Search head cluster&nbsp; (via deployer in an app bundle) props.conf:</P><P>[my_sourcetype]</P><P>KV_MODE = NONE<BR />AUTO_KV_JSON = FALSE</P><P>&nbsp;</P><P>If I run btool on one of the search heads for that sourcetype I get:<BR />ADD_EXTRA_TIME_FIELDS = True<BR />ANNOTATE_PUNCT = True<BR />AUTO_KV_JSON = FALSE<BR />BREAK_ONLY_BEFORE =<BR />BREAK_ONLY_BEFORE_DATE = True<BR />CHARSET = UTF-8<BR />DATETIME_CONFIG = /etc/datetime.xml<BR />DEPTH_LIMIT = 1000<BR />DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false<BR />HEADER_MODE =<BR />KV_MODE = NONE<BR />LB_CHUNK_BREAKER_TRUNCATE = 2000000<BR />LEARN_MODEL = true<BR />LEARN_SOURCETYPE = true<BR />LINE_BREAKER_LOOKBEHIND = 100<BR />MATCH_LIMIT = 100000<BR />MAX_DAYS_AGO = 2000<BR />MAX_DAYS_HENCE = 2<BR />MAX_DIFF_SECS_AGO = 3600<BR />MAX_DIFF_SECS_HENCE = 604800<BR />MAX_EVENTS = 256<BR />MAX_TIMESTAMP_LOOKAHEAD = 128<BR />MUST_BREAK_AFTER =<BR />MUST_NOT_BREAK_AFTER =<BR />MUST_NOT_BREAK_BEFORE =<BR />SEGMENTATION = indexing<BR />SEGMENTATION-all = full<BR />SEGMENTATION-inner = inner<BR />SEGMENTATION-outer = outer<BR />SEGMENTATION-raw = none<BR />SEGMENTATION-standard = standard<BR />SHOULD_LINEMERGE = True<BR />TRANSFORMS =<BR />TRUNCATE = 10000<BR />detect_trailing_nulls = false<BR />maxDist = 100<BR />priority =<BR />sourcetype =<BR />termFrequencyWeightedDist = false</P><P>&nbsp;</P><P>I'm not sure what I am missing but I can't get the duplicate field values to cease.</P> Tue, 28 Dec 2021 22:10:27 GMT dtow1 2021-12-28T22:10:27Z https://community.splunk.com/t5/Getting-Data-In/JSON-events-duplicate-extractions/m-p/579416#M102290 <P>I've got a log file that I am monitoring and where I am using a props.conf on the UF to monitor. I'm using the following settings:</P><P>UF - props.conf:</P><P>[my_sourcetype]</P><P>INDEXED_EXTRACTIONS = JSON</P><P>&nbsp;</P><P>Search head cluster&nbsp; (via deployer in an app bundle) props.conf:</P><P>[my_sourcetype]</P><P>KV_MODE = NONE<BR />AUTO_KV_JSON = FALSE</P><P>&nbsp;</P><P>If I run btool on one of the search heads for that sourcetype I get:<BR />ADD_EXTRA_TIME_FIELDS = True<BR />ANNOTATE_PUNCT = True<BR />AUTO_KV_JSON = FALSE<BR />BREAK_ONLY_BEFORE =<BR />BREAK_ONLY_BEFORE_DATE = True<BR />CHARSET = UTF-8<BR />DATETIME_CONFIG = /etc/datetime.xml<BR />DEPTH_LIMIT = 1000<BR />DETERMINE_TIMESTAMP_DATE_WITH_SYSTEM_TIME = false<BR />HEADER_MODE =<BR />KV_MODE = NONE<BR />LB_CHUNK_BREAKER_TRUNCATE = 2000000<BR />LEARN_MODEL = true<BR />LEARN_SOURCETYPE = true<BR />LINE_BREAKER_LOOKBEHIND = 100<BR />MATCH_LIMIT = 100000<BR />MAX_DAYS_AGO = 2000<BR />MAX_DAYS_HENCE = 2<BR />MAX_DIFF_SECS_AGO = 3600<BR />MAX_DIFF_SECS_HENCE = 604800<BR />MAX_EVENTS = 256<BR />MAX_TIMESTAMP_LOOKAHEAD = 128<BR />MUST_BREAK_AFTER =<BR />MUST_NOT_BREAK_AFTER =<BR />MUST_NOT_BREAK_BEFORE =<BR />SEGMENTATION = indexing<BR />SEGMENTATION-all = full<BR />SEGMENTATION-inner = inner<BR />SEGMENTATION-outer = outer<BR />SEGMENTATION-raw = none<BR />SEGMENTATION-standard = standard<BR />SHOULD_LINEMERGE = True<BR />TRANSFORMS =<BR />TRUNCATE = 10000<BR />detect_trailing_nulls = false<BR />maxDist = 100<BR />priority =<BR />sourcetype =<BR />termFrequencyWeightedDist = false</P><P>&nbsp;</P><P>I'm not sure what I am missing but I can't get the duplicate field values to cease.</P> Tue, 28 Dec 2021 22:10:27 GMT https://community.splunk.com/t5/Getting-Data-In/JSON-events-duplicate-extractions/m-p/579416#M102290 dtow1 2021-12-28T22:10:27Z