Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove the duplicate values from json events

Nadhiyaa
Path Finder
‎09-01-2019 10:52 PM

alt text

Below is sample data . How to remove the duplicate values

Tags (1)
Preview file
1 KB
0 Karma
Reply

jawaharas
Motivator
‎09-02-2019 06:01 PM

Below configuration will help to remove duplicates in JSON events.

props.conf in Indexer

[<source_type>]
INDEXED_EXTRACTIONS = json
category = Structured

props.conf in Search head

[<source_type>]
AUTO_KV_JSON = false
KV_MODE = none

This answer is based on input from @harsmarvania57. Thanks.

Reply

jawaharas
Motivator
‎09-04-2019 06:47 PM

@Nadhiyaa
Kindly accept the answer if it helped you, so others can refer it.

0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎09-02-2019 01:02 AM

Hi,

It looks like you are using INDEXED_EXTRACTIONS = json and KV_MODE = json. If you are using INDEXED_EXTRACTIONS = json while ingesting the data then set KV_MODE = none on Search Head and it will not display duplicate value.

Reply

DavidHourani
Super Champion
‎09-01-2019 11:35 PM

@Nadhiyaa, are you using stats or dedup ? You shouldnt have duplicated if that's the case. Could you please post your query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...