topic Why does the REST Search in json format returns duplicate results? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-does-the-REST-Search-in-json-format-returns-duplicate/m-p/510503#M142879 <P>I'm performing a REST Search that ends with a | table command</P> <P>When I configure the script to csv format, I get 5 events. &nbsp;Raw format, 5 events. Splunk Web: 5 statistics/events. &nbsp;But when I switch the format to json, 10 events, 5 of which are duplicates. &nbsp;</P> <P>Is there any valid reason why json should be any different than all the other types?</P> <P>I've read solutions that suggest going to the config files, this is not available to me.</P> <P>Hopefully, there is a way inline with my search to tell Splunk that I want, say, &nbsp;just the data that shows up in my table. &nbsp;This would be ideal.</P> <P>Thanks so much.</P> Thu, 23 Jul 2020 03:41:34 GMT chris94089 2020-07-23T03:41:34Z Why does the REST Search in json format returns duplicate results? https://community.splunk.com/t5/Splunk-Search/Why-does-the-REST-Search-in-json-format-returns-duplicate/m-p/510503#M142879 <P>I'm performing a REST Search that ends with a | table command</P> <P>When I configure the script to csv format, I get 5 events. &nbsp;Raw format, 5 events. Splunk Web: 5 statistics/events. &nbsp;But when I switch the format to json, 10 events, 5 of which are duplicates. &nbsp;</P> <P>Is there any valid reason why json should be any different than all the other types?</P> <P>I've read solutions that suggest going to the config files, this is not available to me.</P> <P>Hopefully, there is a way inline with my search to tell Splunk that I want, say, &nbsp;just the data that shows up in my table. &nbsp;This would be ideal.</P> <P>Thanks so much.</P> Thu, 23 Jul 2020 03:41:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-the-REST-Search-in-json-format-returns-duplicate/m-p/510503#M142879 chris94089 2020-07-23T03:41:34Z Re: REST Search in json format returns duplicate results https://community.splunk.com/t5/Splunk-Search/Why-does-the-REST-Search-in-json-format-returns-duplicate/m-p/510555#M142893 <P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsearch-time" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Automatickey-valuefieldextractionsatsearch-time</A><BR /><BR /></P><LI-CODE lang="markup">When KV_MODE is set to auto or auto_escaped, automatic JSON field extraction can take place alongside other automatic key/value field extractions. To disable JSON field extraction without changing the KV_MODE value from auto, add AUTO_KV_JSON=false to the stanza. When not set, AUTO_KV_JSON defaults to true.</LI-CODE> Thu, 23 Jul 2020 00:20:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-the-REST-Search-in-json-format-returns-duplicate/m-p/510555#M142893 to4kawa 2020-07-23T00:20:17Z