topic Why splunk Search returning duplicates? in Splunk Search

Why splunk Search returning duplicates?

karthi25 — Wed, 13 Apr 2022 05:44:27 GMT

As shown below I have only two events present on my index

But when i execute the below search query

index = **** |rex field=_raw "(?msi)(?<json_field>\{.+\}$)" | spath input=json_field |rename SCMSplunkLog.SCMFailureLog.appName as APPNAME,SCMSplunkLog.SCMFailureLog.eventType as EVENTTYPE,SCMSplunkLog.SCMFailureLog.payload.level as LEVEL,SCMSplunkLog.SCMFailureLog.payload.errorDescription as ERRORDESCRIPTION,SCMSplunkLog.SCMFailureLog.payload.startTime as STARTDATE,SCMSplunkLog.SCMFailureLog.payload.endTime as ENDDATE |where APPNAME!="" and LEVEL="ERROR"|table APPNAME,EVENTTYPE,STARTDATE,ENDDATE,LEVEL,ERRORDESCRIPTION

I was getting duplicate entries on result table as below

Can anyone please help me with this.

Edited:
Attached sample json:

{ "SCMSplunkLog" : { "SCMFailureLog" : { "appName" : "Testing_splunk_alerts_log", "eventType" : "Testing_splunk_alerts_log", "payload" : { "level" : "ERROR", "startTime" : "2022-04-12T13:57:49.156Z", "successCount" : 0, "failureCount" : 0, "publishedCount" : 0, "errorCode" : 0, "errorDescription" : "ERROR: relation \"test.testLand\" does not exist\n Position: 8", "sourceCount" : 0, "endTime" : "2022-04-12T13:57:54.483Z" } } } }

Re: Why splunk Search returning duplicates?

mayurr98 — Tue, 12 Apr 2022 17:46:42 GMT

Could you please give us sample JSON raw events. paste in </>

Re: Why splunk Search returning duplicates?

karthi25 — Wed, 13 Apr 2022 05:46:22 GMT

@mayurr98 updated my post with sample JSON

Re: Why splunk Search returning duplicates?

VatsalJagani — Wed, 13 Apr 2022 06:04:06 GMT

I tried the same that you have. It seems working as expected.

| makeresults | eval _raw="{ \"SCMSplunkLog\" : { \"SCMFailureLog\" : { \"appName\" : \"Testing_splunk_alerts_log\", \"eventType\" : \"Testing_splunk_alerts_log\", \"payload\" : { \"level\" : \"ERROR\", \"startTime\" : \"2022-04-12T13:57:49.156Z\", \"successCount\" : 0, \"failureCount\" : 0, \"publishedCount\" : 0, \"errorCode\" : 0, \"errorDescription\" : \"ERROR: relation \"test.testLand\" does not exist\n Position: 8\", \"sourceCount\" : 0, \"endTime\" : \"2022-04-12T13:57:54.483Z\" } } } }"