All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duplicative JSON events in all but one App

peterm30
Path Finder
‎01-23-2020 07:58 AM

We are having an issue with duplicative JSON fields coming from Duo (the 2FA provider) events. Our senario seems to be a bit different than what others are encountering though. When searching within the Duo app (https://splunkbase.splunk.com/app/3504/), there is no duplication. However, when searching within any other app (default Searching and Reporting, other custom apps, etc.), we are seeing the duplication of fields.

We are using Splunk Cloud, so we do not have backend access to our search head or indexers, but we can change anything that can be configured in the web interface. We do have backend access to the heavy forwarders.

The Duo app is installed on one such heavy forwarder that recieves the events via API. Since the app seems to be working, our initial thought was to apply the app's default props.conf to all other apps by copying it to /opt/splunk/etc/system/local. Playing with the settings here, we can see that it does have an effect, but the default settings didn't solve the issue.

We've also tried setting several other settings as detailed here: https://answers.splunk.com/answers/765005/how-do-i-stop-getting-duplicate-entries-of-json-da.html
Specifically, unsetting INDEXED_EXTRATIONS and KV_MODE, as well as adding AUTO_KV_JSON = false. These particular settings didn't work, nor has any other combination that we've tried.

At this point, I'm soliciting any other suggested settings, along with where to place them.

0 Karma
Reply

jeremyhagand61
Communicator
‎07-12-2021 10:44 PM

Did you resolve this? I have the exact same problem.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-13-2021 02:20 PM
You should do those unsetings on first full splunk enterprise instance from where the events are coming into splunk.
0 Karma
Reply

jeremyhagand61
Communicator
‎07-13-2021 04:13 PM

Heavy forwarder?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-15-2021 10:37 AM

Yes, if you have heavy forwarder as intermediate/gateway before splunk indexer(s).

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...