How to remove the duplicate values from json event...

Nadhiyaa · ‎09-01-2019

Below is sample data . How to remove the duplicate values

jawaharas · ‎09-02-2019

Below configuration will help to remove duplicates in JSON events.

props.conf in Indexer

[<source_type>]
INDEXED_EXTRACTIONS = json
category = Structured

props.conf in Search head

[<source_type>]
AUTO_KV_JSON = false
KV_MODE = none

This answer is based on input from @harsmarvania57. Thanks.

jawaharas · ‎09-04-2019

@Nadhiyaa
Kindly accept the answer if it helped you, so others can refer it.

harsmarvania57 · ‎09-02-2019

Hi,

It looks like you are using INDEXED_EXTRACTIONS = json and KV_MODE = json. If you are using INDEXED_EXTRACTIONS = json while ingesting the data then set KV_MODE = none on Search Head and it will not display duplicate value.

DavidHourani · ‎09-01-2019

@Nadhiyaa, are you using stats or dedup ? You shouldnt have duplicated if that's the case. Could you please post your query.

How to remove the duplicate values from json events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation