Added _meta to default result in double counts.

Splunk Employee
Splunk Employee

unable to search data using SPL

index=test ssp=3538

following search does return the result

index=test ssp=*3538

To resolve the issue implemented


After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

To see duplicate usedvalue for filed as used

index=test ssp=3538 | eval A=mvcount(ssp) | search A=2

Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate

We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.

It will be notice toe document it.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!