Solved: Why table command results with two same values..??

splunkkid · ‎09-03-2020

Hello.

I'm currently kind of confused using splunk enterprise. I am using splunk enterprise 7.2.8 version.

I need to use table command like below, but the command outputs with same 2 values as you can see also as below.

[command]

host="myhost" index="myindex" sourcetype="mytype" source="mysource" | table field1, field2

[results - table]

For your information, our org configured splunk system like below.

splunk universal forwarder -> splunk heavy forwarder -> splunk indexer <- search header

And above information is sent from server with splunk universal forwarder.

Any idea to solve this problem??

Thanks.

Nisha18789 · ‎09-03-2020

Hello @splunkkid , could you please add the sourcetype stanza on Search head as well with KV_MODE = none

View solution in original post

ITWhisperer · ‎09-03-2020

This seems to imply that field1 and field2 are either duplicated in the original event, or that the extraction process in duplicating them. You probably need to look at the props and transform configurations

splunkkid · ‎09-03-2020

Ok. Thanks for reply.

First of all, it is not just those 2 fields that comes out duplicated. All fields came out like that.

And my splunk universal forwarder's path is like below.

And props.conf, the file is written like below.

[MY_SOURCETYPE]

INDEXED_EXTRACTIONS=JSON
KV_MODE=none

Thanks!

Nisha18789 · ‎09-03-2020

hi @splunkkid , could you please advise if these fields are part of json logs? Also, where have you placed the props.conf stanza for these events?

splunkkid · ‎09-03-2020

Hello!

Yes, those fields are all JSON format data.

I run python script in my server, and that python script results in one JSON file.

And SplunkUniversal forwarder monitors where the JSON file come out.

And I uploaded props.conf stanza on above reply just now. Please check.

Thanks

Nisha18789 · ‎09-03-2020

Hi @splunkkid , I thnk you are facing duplicate field extractions, as mentioned in this post, please have a look.

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

splunkkid · ‎09-03-2020

Hi @Nisha18789 ,

I have added that props.conf stanza only on Universal forwarder.

From UF, the system forward data to HF and then to Indexer.

And I didn't added the same stanza to HF or Indexer. I just added that to my UF only.

And I checked the post you linked.. and changed my props.conf file like below and ran python script again

[MY SOURCETYPE]
INDEXED_EXTRACTIONS=JSON
KV_MODE=none
AUTO_KV_JSON=false

But the data still results in duplicated format..

Nisha18789 · ‎09-03-2020

Hello @splunkkid , could you please add the sourcetype stanza on Search head as well with KV_MODE = none

splunkkid · ‎09-03-2020

Hello, @Nisha18789

Really appreciate your help.

I added to my search header props.conf stanza like below.

[MY_SOURCETYPE]
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

And I am getting right results as I intended!

Thank you!

Why table command results with two same values..??

table

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation