https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133941#M27533 <P>Set <CODE>KV_MODE = none</CODE> and your issue should go away.</P> Mon, 13 Apr 2015 17:28:20 GMT martin_mueller 2015-04-13T17:28:20Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133935#M27527 <P>I have ingested JSON data &amp; Splunk has extracted important fields automatically, but I see some mismatch between Key-Value &amp; Count. There are many such fields with mismatch in count. </P> <P>As per my screenshot for a single event, "Count" should be 1 instead of 2. Could someone advise me how to fix this problem. <BR /> (i don't see any problem with host, source, sourcetype) <BR /> props.conf</P> <PRE><CODE>[json] KV_MODE = json INDEXED_EXTRACTIONS = JSON TRUNCATE = 0 TIME_PREFIX = startTime": MAX_TIMESTAMP_LOOKAHEAD = 16 SHOULD_LINEMERGE = False NO_BINARY_CHECK = 0 </CODE></PRE> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/301i21E95C59D128F54C/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 13 Apr 2015 14:23:01 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133935#M27527 satishsdange 2015-04-13T14:23:01Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133936#M27528 <P>Can you post some sample entries? </P> Mon, 13 Apr 2015 15:20:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133936#M27528 somesoni2 2015-04-13T15:20:58Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133937#M27529 <P>Unfortunately, I can't share that data. Would you like to see any config? </P> Mon, 13 Apr 2015 15:32:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133937#M27529 satishsdange 2015-04-13T15:32:22Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133938#M27530 <P>If you can mask all the sensitive data, that should do. I'm interested in seeing the format of jSON with the mentioned field. On cursory look, the configuration looks correct. One question though, is this a custom sourcetype? and if yes, could you try renaming it to something else?</P> Mon, 13 Apr 2015 15:48:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133938#M27530 somesoni2 2015-04-13T15:48:22Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133939#M27531 <P>I'd say your event contains two Call_Drop values.</P> <P>If not, you could post anonymized events.</P> Mon, 13 Apr 2015 15:50:49 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133939#M27531 martin_mueller 2015-04-13T15:50:49Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133940#M27532 <P>Here is an event. Important fields have been extracted by Splunk. e.g corCallHeader.firstCellId=1.<BR /> Then I have used Alias to change it to Cell_ID. </P> <P>{"corCallHeader":{"traceId":123456789123456,"startTime":1395736409790,"stopTime":1395736414180,"callDuration":4390,"rnti":0,"imsi":48,"tmsi":962442424,"</P> <P>P.S - deleting original log</P> Mon, 13 Apr 2015 16:55:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133940#M27532 satishsdange 2015-04-13T16:55:28Z https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133941#M27533 <P>Set <CODE>KV_MODE = none</CODE> and your issue should go away.</P> Mon, 13 Apr 2015 17:28:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-am-I-seeing-a-mismatch-between-Key-Value-and-Count-after/m-p/133941#M27533 martin_mueller 2015-04-13T17:28:20Z