topic Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time? in Splunk Search

Why is my search on JSON data producing duplicate results for each line, except for the date and time?

rafamss — Fri, 04 Dec 2015 17:52:59 GMT

Hi guys,

I have a problem. Every time I try to run the following search, the result is duplicated in each line, but the date and time. What can be? My log is in format JSON.

index="my_index" source="my_source" sourcetype="my_sourcetype"
| rename field1 , field2, field3, ....
| eval Date = strftime(_time, "%d-%m-%Y")
| eval Hour = strftime(_time, "%H-%M-%S")
| spath output=Rules  path=field.sub-field{}.code
| table Date, Hour, field1 , field2, field3, ....

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

landen99 — Tue, 29 Sep 2020 08:04:23 GMT

The data is most likely being indexed with indexed extractions and also searched with search-time extractions. Your indexer props.conf file likely has a line to do indexed extractions (not best practice):
INDEXED_EXTRACTIONS = json
On the search head props.conf:
KV_MODE = json

Deleting "INDEXED_EXTRACTIONS = json" from the indexer will solve the issue for everything indexed after the indexer is restarted. Anything already indexed will retain their indexed extractions, so you might want to delete the indexed data and re-index everything.

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

rafamss — Fri, 04 Dec 2015 19:42:36 GMT

landen,

This occurs every time that I try use the command table. I changed the configuration but continuous similarity. Do you have any ideia ?

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

woodcock — Sat, 05 Dec 2015 20:08:14 GMT

The table command just accentuates the fact that the fields have multiple/duplicated values. If you do not use table and then click on the field in the left fields panel, you will see that it is also duplicated there, even though you are not using table. This answer is probably the correct explanation.

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

rafamss — Tue, 15 Mar 2016 18:45:38 GMT

Thanks guys. The solution works fine.

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

landen99 — Mon, 21 Sep 2020 20:21:19 GMT

The other solution is to leave it as an indexed field and add KVMODE=false to the search head.

Re: Why is my search on JSON data producing duplicate results for each line, except for the date and time?

landen99 — Tue, 22 Sep 2020 14:59:09 GMT

Or index the field and set KVMODE to none.