https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503338#M140031 <P>Hi,</P> <P>Please configure below props.conf on Search Head.</P> <PRE><CODE>[mycustomsourcetype] KV_MODE = none </CODE></PRE> Tue, 22 Oct 2019 23:17:35 GMT harsmarvania57 2019-10-22T23:17:35Z https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503337#M140030 <P>Hi, I am seeing duplicate extractions for events in my Splunk instance. To give a background, I have a couple forwarders (which are mostly not used), an indexer cluster in which each indexer is running the Splunk HEC and the HEC is sitting behind a load balancer, I have one index cluster master and finally I have a search head cluster.</P> <P>There is not a props.conf file on the search heads. </P> <P>Currently the props.conf lives in the /opt/splunk/etc/system/local/ directory on the indexers. Here is a sample config:</P> <P>[mycustomsourcetype]<BR /> DATETIME_CONFIG =<BR /> INDEXED_EXTRACTIONS = json<BR /> KV_MODE = none<BR /> AUTO_KV_JSON = false<BR /> LINE_BREAKER = ([\r\n]+)<BR /> NO_BINARY_CHECK = true<BR /> TZ = UTC<BR /> category = Structured<BR /> description = ticket stuff<BR /> disabled = false<BR /> TRUNCATE = 0<BR /> pulldown_type = true</P> <P>Considering the only props.conf that I believe should be dictating extractions is on the indexers, I'm very confused about how to fix this.</P> <P>Any help would be greatly appreciated. Thanks!</P> Wed, 30 Sep 2020 02:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503337#M140030 mrstrozy 2020-09-30T02:35:43Z https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503338#M140031 <P>Hi,</P> <P>Please configure below props.conf on Search Head.</P> <PRE><CODE>[mycustomsourcetype] KV_MODE = none </CODE></PRE> Tue, 22 Oct 2019 23:17:35 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503338#M140031 harsmarvania57 2019-10-22T23:17:35Z https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503339#M140032 <P>The part I forgot to mention was that the events ingested prior to the architecture change did not have duplicate extractions which added to the confusion. I noticed that the replication and search factors were not being met and so I explicitly added to the master server.conf clustering section with "replication_factor = 3" (though I thought this was the case by default). After doing so the replication and search factors were then met and all ingested events from that point on did not have duplicate field extractions. </P> <P>I am pretty confused by this so anyone with more advanced knowledge please feel free to chime in. I would love to fully understand why this was the case.</P> Wed, 23 Oct 2019 18:42:23 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503339#M140032 mrstrozy 2019-10-23T18:42:23Z https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503340#M140033 <P>Set this on your <CODE>Search Head</CODE>:</P> <H4>props.conf</H4> <PRE><CODE>[mycustomsourcetype] KV_MODE = none AUTO_KV_JSON = false </CODE></PRE> Fri, 25 Oct 2019 23:32:49 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503340#M140033 woodcock 2019-10-25T23:32:49Z https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503341#M140034 <P>I needed both KV_MODE and AUTO_KV_JSON, thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>!</P> Wed, 30 Sep 2020 05:34:36 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-Extracted-Fields-ingest-through-HEC/m-p/503341#M140034 ruman_splunk 2020-09-30T05:34:36Z