Added _meta to default result in double counts.

Splunk Employee
Splunk Employee

unable to search data using SPL

index=test ssp=3538

following search does return the result

index=test ssp=*3538

To resolve the issue implemented


After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

To see duplicate usedvalue for filed as used

index=test ssp=3538 | eval A=mvcount(ssp) | search A=2

Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate

We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.

It will be notice toe document it.

0 Karma