JSON duplicate values extraction even after applyi...

mahesh423 · ‎09-24-2019

JSON data with indexed extraction on Heavy Forwarder and KV mode =none with JSON events are giving out 2 values for 1 field, I did thoroughly checked the data and also after the field extractions and I did make sure each props has the app permission under local.meta or default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system

Ran tstats count where index= json index by duplicatedvaluefield which give the correct value - 9 - for 9 events

Where as when count of values for the field with stats gives 18 - for 9 events.

Below are the conf that I used,
On HEavy forwarder:

[_json]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON=false
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

- ON Search head - 
[_json]
KV_MODE=none
AUTO_KV_JSON=false
disabled = false

On indexers 
[_json]
SHOULD_LINEMERGE=false
KV_MODE=none
AUTO_KV_JSON=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

Please help me by pointing the issue with this.

JSON duplicate values extraction even after applying props with indexed extractions on heavy forwarder

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?

JSON duplicate values extraction even after applying props with indexed extractions on heavy forwarder

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025