All Apps and Add-ons

Duplicative JSON events in all but one App

peterm30
Path Finder

We are having an issue with duplicative JSON fields coming from Duo (the 2FA provider) events. Our senario seems to be a bit different than what others are encountering though. When searching within the Duo app (https://splunkbase.splunk.com/app/3504/), there is no duplication. However, when searching within any other app (default Searching and Reporting, other custom apps, etc.), we are seeing the duplication of fields.

We are using Splunk Cloud, so we do not have backend access to our search head or indexers, but we can change anything that can be configured in the web interface. We do have backend access to the heavy forwarders.

The Duo app is installed on one such heavy forwarder that recieves the events via API. Since the app seems to be working, our initial thought was to apply the app's default props.conf to all other apps by copying it to /opt/splunk/etc/system/local. Playing with the settings here, we can see that it does have an effect, but the default settings didn't solve the issue.

We've also tried setting several other settings as detailed here: https://answers.splunk.com/answers/765005/how-do-i-stop-getting-duplicate-entries-of-json-da.html
Specifically, unsetting INDEXED_EXTRATIONS and KV_MODE, as well as adding AUTO_KV_JSON = false. These particular settings didn't work, nor has any other combination that we've tried.

At this point, I'm soliciting any other suggested settings, along with where to place them.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!