Dashboards & Visualizations

Why table command results with two same values..??

splunkkid
Path Finder

Hello. 

 

I'm currently kind of confused using splunk enterprise. I am using splunk enterprise 7.2.8 version.

I need to use table command like below, but the command outputs with same 2 values as you can see also as below.

 

[command]

host="myhost" index="myindex" sourcetype="mytype" source="mysource" | table field1, field2

 

[results - table]

mv.png

 

For your information, our org configured splunk system like below.

splunk universal forwarder -> splunk heavy forwarder -> splunk indexer <- search header

 

And above information is sent from server with splunk universal forwarder. 

Any idea to solve this problem??

 

Thanks.

 

 

Labels (1)
0 Karma
1 Solution

Nisha18789
Builder

Hello @splunkkid , could you please add the sourcetype stanza on Search head as well with KV_MODE = none

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

This seems to imply that field1 and field2 are either duplicated in the original event, or that the extraction process in duplicating them. You probably need to look at the props and transform configurations

0 Karma

splunkkid
Path Finder

Ok. Thanks for reply.

First of all, it is not just those 2 fields that comes out duplicated. All fields came out like that.

 

And my splunk universal forwarder's path is like below. 

mv.png

And props.conf, the file is written like below.

 

[MY_SOURCETYPE]

INDEXED_EXTRACTIONS=JSON
KV_MODE=none

 

Thanks!

0 Karma

Nisha18789
Builder

hi @splunkkid , could you please advise if these fields are part of json logs? Also, where have you placed the props.conf stanza for these events?

0 Karma

splunkkid
Path Finder

Hello!

 

Yes, those fields are all JSON format data.

I run python script in my server, and that python script results in one JSON file. 

 

And SplunkUniversal forwarder monitors where the JSON file come out.

And I uploaded props.conf stanza on above reply just now. Please check.

 

Thanks

Tags (1)
0 Karma

Nisha18789
Builder

Hi @splunkkid , I thnk you are facing duplicate field extractions, as mentioned in this post, please have a look.

 

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

0 Karma

splunkkid
Path Finder

Hi @Nisha18789 ,

I have added that props.conf stanza only on Universal forwarder.

From UF, the system forward data to HF and then to Indexer.

 

And I didn't added the same stanza to HF or Indexer. I just added that to my UF only.

 

And I checked the post you linked.. and changed my props.conf file like below and ran python script again

[MY SOURCETYPE]
INDEXED_EXTRACTIONS=JSON
KV_MODE=none
AUTO_KV_JSON=false

 

But the data still results in duplicated format.. 

 

Tags (1)
0 Karma

Nisha18789
Builder

Hello @splunkkid , could you please add the sourcetype stanza on Search head as well with KV_MODE = none

splunkkid
Path Finder

Hello, @Nisha18789 

 

Really appreciate your help.

I added to my search header props.conf stanza like below.

 

[MY_SOURCETYPE]
INDEXED_EXTRACTIONS=JSON
KV_MODE=none

 

And I am getting right results as I intended! 

 

Thank you!

Tags (1)
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...