Archive

independent stream forwarder field value duplication problem

Engager

The field value is duplicated in independent Stream forwarder. Is there a workaround?

  • Version Splunk 6.5.5 and independent Stream forwarder 7.1.1

alt text

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

This looks like INDEXED_EXTRACTIONS = JSON on UF side and KV_MODE = auto (This is default) or KV_MODE = json on search head is present and due to that it is extracting JSON event twice.

You need to set KV_MODE = none on search head for your sourcetype so search head will not extract this JSON event again.

On SH props.conf

[yoursourcetype]
KV_MODE = none

Ultra Champion

Is this forwarded with useAck = true set on the forwarders outputs.conf?

0 Karma

Ultra Champion

Scratch my comment - i misread 'field duplicated' as 'event duplicated'

0 Karma