JSON duplicate values extraction even after applyi...

mahesh423 · ‎09-24-2019

JSON data with indexed extraction on Heavy Forwarder and KV mode =none with JSON events are giving out 2 values for 1 field, I did thoroughly checked the data and also after the field extractions and I did make sure each props has the app permission under local.meta or default.meta
[]
access = read : [ * ], write : [ admin, power ]
export = system

Ran tstats count where index= json index by duplicatedvaluefield which give the correct value - 9 - for 9 events

Where as when count of values for the field with stats gives 18 - for 9 events.

Below are the conf that I used,
On HEavy forwarder:

[_json]
INDEXED_EXTRACTIONS=json
KV_MODE=none
AUTO_KV_JSON=false
SHOULD_LINEMERGE=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

- ON Search head - 
[_json]
KV_MODE=none
AUTO_KV_JSON=false
disabled = false

On indexers 
[_json]
SHOULD_LINEMERGE=false
KV_MODE=none
AUTO_KV_JSON=false
disabled=false
pulldown_type=true
TRUNCATE=99999
LINE_BREAKER=([\r\n]+)\[\W\"\w{8}
MAX_TIMESTAMP_LOOKAHEAD=13
TIME_PREFIX=\W+\w{8}\W+\w{9}\"\:\"
TIME_FORMAT=%s%3N

Please help me by pointing the issue with this.

JSON duplicate values extraction even after applying props with indexed extractions on heavy forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation