Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove the duplicate values from json events

Nadhiyaa
Path Finder
‎09-01-2019 10:52 PM

alt text

Below is sample data . How to remove the duplicate values

Tags (1)
Preview file
1 KB
0 Karma
Reply

jawaharas
Motivator
‎09-02-2019 06:01 PM

Below configuration will help to remove duplicates in JSON events.

props.conf in Indexer

[<source_type>]
INDEXED_EXTRACTIONS = json
category = Structured

props.conf in Search head

[<source_type>]
AUTO_KV_JSON = false
KV_MODE = none

This answer is based on input from @harsmarvania57. Thanks.

Reply

jawaharas
Motivator
‎09-04-2019 06:47 PM

@Nadhiyaa
Kindly accept the answer if it helped you, so others can refer it.

0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎09-02-2019 01:02 AM

Hi,

It looks like you are using INDEXED_EXTRACTIONS = json and KV_MODE = json. If you are using INDEXED_EXTRACTIONS = json while ingesting the data then set KV_MODE = none on Search Head and it will not display duplicate value.

Reply

DavidHourani
Super Champion
‎09-01-2019 11:35 PM

@Nadhiyaa, are you using stats or dedup ? You shouldnt have duplicated if that's the case. Could you please post your query.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...