Hello everyone!
I have clustered infrastructure (simplified)
2 SH (cluster) + 2 Indexer (cluster) + Heavy Forwarder (name HF)
On HF i run some script which returns me json file, and i forward it from HF to Indexers (HF -> IndexCluser)
After that, i have to make some searches on SH with that data
When i make search request, i have correctly parsed json, look perfect. BUT when i use `table` or just expand results each json field are dublicated.
I have custom sourcetype defined on the Heavy Forwarder (although i tried some variations):
[just_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
pulldown_type = true
category = Application
I assume that it multiplies on two because of:
json parsed during indexing (or sendind from Heavy?)
json parsed additionally on searchHead during search performed
I have read some similar questions (not sure about cluster case) but haven't succeed.
Still cant figure out.
Thanks in advance.
