Dublicated json fields on searchHead

Getting Data In

Hello everyone!

I have clustered infrastructure (simplified)

2 SH (cluster) + 2 Indexer (cluster) + Heavy Forwarder (name HF)

On HF i run some script which returns me json file, and i forward it from HF to Indexers (HF -> IndexCluser)

After that, i have to make some searches on SH with that data

When i make search request, i have correctly parsed json, look perfect. BUT when i use `table` or just expand results each json field are dublicated.

I have custom sourcetype defined on the Heavy Forwarder (although i tried some variations):

[just_json]

INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
pulldown_type = true
category = Application

I assume that it multiplies on two because of:

json parsed during indexing (or sendind from Heavy?)

json parsed additionally on searchHead during search performed

I have read some similar questions (not sure about cluster case) but haven't succeed.

Still cant figure out.

Thanks in advance.

Get Updates on the Splunk Community!

Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Join the Conversation