https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527352#M148867 <P>Hi Splunk experts</P><P>I need one help, the splunk search is giving me duplicate entries when I do a search. I have made sure that there are no duplicate events and I have also used dedup in my search. Still it gives me duplicates. Need your help. See the attached image.</P><P>Could you please let me know what could be the issue?</P><P>Thanks and best regards</P><P>Krishna</P> Fri, 30 Oct 2020 17:45:10 GMT krishna_11 2020-10-30T17:45:10Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527352#M148867 <P>Hi Splunk experts</P><P>I need one help, the splunk search is giving me duplicate entries when I do a search. I have made sure that there are no duplicate events and I have also used dedup in my search. Still it gives me duplicates. Need your help. See the attached image.</P><P>Could you please let me know what could be the issue?</P><P>Thanks and best regards</P><P>Krishna</P> Fri, 30 Oct 2020 17:45:10 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527352#M148867 krishna_11 2020-10-30T17:45:10Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527362#M148870 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226100">@krishna_11</a>&nbsp;,&nbsp;</P><P>Which is the original format of the log entries? Is it JSON or XML?</P><P>Maybe you should validate if the sourcetype contains both INDEXED_EXTRACTIONS and KV_MODE set to JSON/XML. If both of them are set, try removing one of them, such as INDEXED_EXTRACTIONS=JSON and KV_MODE=None.</P> Fri, 30 Oct 2020 18:55:32 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527362#M148870 alonsocaio 2020-10-30T18:55:32Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527377#M148871 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156088">@alonsocaio</a>&nbsp;</P><P>The original format of the log entries is JSON.</P><P>The sourcetype contains only INDEXED_EXTRACTIONS is set to JSON and I have not set KV_MODE at all.</P><P>Are there any other ideas?&nbsp;</P><P>Best regards</P><P>Krishna</P> Fri, 30 Oct 2020 21:26:50 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527377#M148871 krishna_11 2020-10-30T21:26:50Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527425#M148880 <P>Are you able to share your sourcetype configs?</P> Sat, 31 Oct 2020 17:12:41 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527425#M148880 alonsocaio 2020-10-31T17:12:41Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527427#M148881 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156088">@alonsocaio</a>&nbsp;</P><P>Here is my source type config:</P><P>[source::...ta-audit-logs-ingester*.log*]<BR />sourcetype = taauditlogsingester:log</P><P>[source::...ta_audit_logs_ingester*.log*]<BR />sourcetype = taauditlogsingester:log</P><P>[Audit-Logs-Source]<BR />INDEXED_EXTRACTIONS = json<BR />SHOULD_LINEMERGE = 0<BR />category = Splunk App Add-on Builder<BR />pulldown_type = 1</P><P>&nbsp;</P><P>Thank you so much for your help. Greatly appreciated.</P><P>Thanks and best regards</P><P>Krishna</P> Sat, 31 Oct 2020 17:35:23 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527427#M148881 krishna_11 2020-10-31T17:35:23Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527434#M148883 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226100">@krishna_11</a>&nbsp;</P><P>I have tested a simple json file with this sourcetype settings:</P><LI-CODE lang="markup">[test:json] INDEXED_EXTRACTIONS = json SHOULD_LINEMERGE = 0 pulldown_type = 1</LI-CODE><P>And It returned me duplicated values.</P><P>When I added KV_MODE = None to the sourcetype, It parsed the json correctly.</P><LI-CODE lang="markup">[test:json] INDEXED_EXTRACTIONS = json SHOULD_LINEMERGE = 0 KV_MODE = None pulldown_type = 1</LI-CODE><P>I would suggest you to test using the KV_MODE option to validate if It works for you.</P> Sun, 01 Nov 2020 00:54:13 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527434#M148883 alonsocaio 2020-11-01T00:54:13Z https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527590#M148944 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/156088">@alonsocaio</a>&nbsp;</P><P>I have been testing and it looks like your solution worked like a charm. Thank you so much for this amazing solution. Greatly appreciate it. I have been trying for quite some time and could not find any solution.&nbsp;</P><P>You are a lifesaver <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>-Krishna</P> Mon, 02 Nov 2020 19:30:20 GMT https://community.splunk.com/t5/Splunk-Search/Duplicate-entries-in-splunk-search/m-p/527590#M148944 krishna_11 2020-11-02T19:30:20Z