JSON duplicate values extraction even after applyi...

mahesh423 · ‎09-24-2019

JSON data with indexed extraction on Heavy Forwarder and KV mode =none with JSON events are giving out 2 values for 1 field, I did thoroughly checked the data and also after the field extractions and I did make sure each props has the app permission under local.meta or default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system

Ran tstats count where index= json index by duplicatedvaluefield which give the correct value - 9 - for 9 events

Where as when count of values for the field with stats gives 18 - for 9 events.

Below are the conf that I used,
On HEavy forwarder:

[_json]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON=false
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

- ON Search head - 
[_json]
KV_MODE=none
AUTO_KV_JSON=false
disabled = false

On indexers 
[_json]
SHOULD_LINEMERGE=false
KV_MODE=none
AUTO_KV_JSON=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

Please help me by pointing the issue with this.

JSON duplicate values extraction even after applying props with indexed extractions on heavy forwarder

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

JSON duplicate values extraction even after applying props with indexed extractions on heavy forwarder

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases