https://community.splunk.com/t5/Getting-Data-In/duplicate-host-field-when-raw-is-json/m-p/535689#M89841 <P>Hi all,</P><P>I'm having non-indexed-extracted json in events. When there is a json "host" field host, which is different from the indexed "host", then the search view is showing you 2 values for host in smart or verbose mode.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2021-01-13 um 18.07.19.png" style="width: 934px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12527i6D013DACA2D30101/image-size/large?v=v2&amp;px=999" role="button" title="Bildschirmfoto 2021-01-13 um 18.07.19.png" alt="Bildschirmfoto 2021-01-13 um 18.07.19.png" /></span></P><P>you can't work with the searchtime extracted json host field - clicking on it gives you no results - as host is an indexed field.&nbsp;<BR />.. when you are doing a ... | stats count by host, then only "indextimehost" is reported back - as expected.&nbsp;&nbsp;</P><P>this behaviour differers from "normal" kv searchtime detection:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2021-01-13 um 18.12.01.png" style="width: 716px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12529iAFF6FA4D9002E9B5/image-size/large?v=v2&amp;px=999" role="button" title="Bildschirmfoto 2021-01-13 um 18.12.01.png" alt="Bildschirmfoto 2021-01-13 um 18.12.01.png" /></span></P><P>&nbsp;</P><P>i found multiple posts regarding this like:</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/292472" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/292472</A></P><P>unfortunately i'm not able to change the json field name at the source. Rewriting is also no good option for me.&nbsp;<BR /><BR />This more looks like a display bug for me.. but drives the poweruser crasy.&nbsp;&nbsp;</P><P>best Regards,</P><P>Andreas</P> Wed, 13 Jan 2021 17:27:32 GMT schose 2021-01-13T17:27:32Z https://community.splunk.com/t5/Getting-Data-In/duplicate-host-field-when-raw-is-json/m-p/535689#M89841 <P>Hi all,</P><P>I'm having non-indexed-extracted json in events. When there is a json "host" field host, which is different from the indexed "host", then the search view is showing you 2 values for host in smart or verbose mode.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2021-01-13 um 18.07.19.png" style="width: 934px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12527i6D013DACA2D30101/image-size/large?v=v2&amp;px=999" role="button" title="Bildschirmfoto 2021-01-13 um 18.07.19.png" alt="Bildschirmfoto 2021-01-13 um 18.07.19.png" /></span></P><P>you can't work with the searchtime extracted json host field - clicking on it gives you no results - as host is an indexed field.&nbsp;<BR />.. when you are doing a ... | stats count by host, then only "indextimehost" is reported back - as expected.&nbsp;&nbsp;</P><P>this behaviour differers from "normal" kv searchtime detection:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Bildschirmfoto 2021-01-13 um 18.12.01.png" style="width: 716px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12529iAFF6FA4D9002E9B5/image-size/large?v=v2&amp;px=999" role="button" title="Bildschirmfoto 2021-01-13 um 18.12.01.png" alt="Bildschirmfoto 2021-01-13 um 18.12.01.png" /></span></P><P>&nbsp;</P><P>i found multiple posts regarding this like:</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/292472" target="_blank">https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/292472</A></P><P>unfortunately i'm not able to change the json field name at the source. Rewriting is also no good option for me.&nbsp;<BR /><BR />This more looks like a display bug for me.. but drives the poweruser crasy.&nbsp;&nbsp;</P><P>best Regards,</P><P>Andreas</P> Wed, 13 Jan 2021 17:27:32 GMT https://community.splunk.com/t5/Getting-Data-In/duplicate-host-field-when-raw-is-json/m-p/535689#M89841 schose 2021-01-13T17:27:32Z https://community.splunk.com/t5/Getting-Data-In/duplicate-host-field-when-raw-is-json/m-p/536088#M89879 <P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 | fields _raw host | eval _raw="{\"host\": \"your host\"}" | spath</LI-CODE><P>&nbsp;</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Automatickey-valuefieldextractionsatsearch-time" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Automatickey-valuefieldextractionsatsearch-time</A></P><P>In default, KV_MODE=auto. so json is extracted, so if the event has the same name, it will inevitably become.</P><P>&nbsp;</P><LI-CODE lang="markup">index=_internal | head 1 | fields _raw host | eval _raw="{\"host\": \"your host\"}" | eval hostname=spath(_raw,"host")</LI-CODE><P>&nbsp;</P><P>how about this?</P> Sat, 16 Jan 2021 00:08:39 GMT https://community.splunk.com/t5/Getting-Data-In/duplicate-host-field-when-raw-is-json/m-p/536088#M89879 to4kawa 2021-01-16T00:08:39Z