How to remove the duplicate values from json event...

Nadhiyaa · ‎09-01-2019

alt text

Below is sample data . How to remove the duplicate values

jawaharas · ‎09-02-2019

Below configuration will help to remove duplicates in JSON events.

props.conf in Indexer

[<source_type>]
INDEXED_EXTRACTIONS = json
category = Structured

props.conf in Search head

[<source_type>]
AUTO_KV_JSON = false
KV_MODE = none

This answer is based on input from @harsmarvania57. Thanks.

jawaharas · ‎09-04-2019

@Nadhiyaa
Kindly accept the answer if it helped you, so others can refer it.

harsmarvania57 · ‎09-02-2019

Hi,

It looks like you are using INDEXED_EXTRACTIONS = json and KV_MODE = json. If you are using INDEXED_EXTRACTIONS = json while ingesting the data then set KV_MODE = none on Search Head and it will not display duplicate value.

DavidHourani · ‎09-01-2019

@Nadhiyaa, are you using stats or dedup ? You shouldnt have duplicated if that's the case. Could you please post your query.

How to remove the duplicate values from json events

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

How to remove the duplicate values from json events

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0