Dublicated json fields on searchHead

Getting Data In

Hello everyone!

I have clustered infrastructure (simplified)

2 SH (cluster) + 2 Indexer (cluster) + Heavy Forwarder (name HF)

On HF i run some script which returns me json file, and i forward it from HF to Indexers (HF -> IndexCluser)

After that, i have to make some searches on SH with that data

When i make search request, i have correctly parsed json, look perfect. BUT when i use `table` or just expand results each json field are dublicated.

I have custom sourcetype defined on the Heavy Forwarder (although i tried some variations):

[just_json]

INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
pulldown_type = true
category = Application

I assume that it multiplies on two because of:

json parsed during indexing (or sendind from Heavy?)

json parsed additionally on searchHead during search performed

I have read some similar questions (not sure about cluster case) but haven't succeed.

Still cant figure out.

Thanks in advance.

Get Updates on the Splunk Community!

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Join the Conversation