I never ran into this problem before, but I hope someone has..
I have a python script which calls a REST API and passes the JSON to Splunk via the HEC.
The fields are single-valued, however, Splunk converts them to multi-value.
Does anyone know why this is happening and how to fix it?
Set KV_MODE
to NONE
and it will go away. Actually a value of AUTO
might be better but the real problem is that right now it is set to JSON
which is wrong because then you are parsing the JSON
twice. This is definitely the problem.
Do you have multiple extraction methods defined?
Such as using indexed_extractions and kv_mode?
No I don't
Can you provide a data sample and the sourcetype you’re using?