Before you ask, I have found at least 10 questions similar to this as well as two identical questions, both of which are unresolved.
I have one sourcetype which extracts fields from a JSON properly. Awesome, no problem. I created a second sourcetype with the same settings and all fields are extracted twice during a search. The only difference in the data is the first sourcetype has the JSON on a single line. The second sourcetype has the JSON indented on multiple lines. This results in a multi-value field (not a duplicate event.)
I'm running v7.0.1 with forwarders. I am a loss of what to even check next. Suggestions???
SHOULD_LINEMERGE = true
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
CHARSET=UTF-8
KV_MODE = none
AUTO_KV_JSON = false
category=Structured
description=JavaScript Object...
disabled=false
pulldown_type=true
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT=%Y-%m-%dT%H%M%S%Z
TRUNCATE=0
INDEXED_EXTRACTIONS = json
NO_BINARY_CHECK = true
CHARSET=UTF-8
KV_MODE = none
AUTO_KV_JSON = false
category=Structured
description=JavaScript Object...
disabled=false
pulldown_type=true
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT=%Y-%m-%dT%H%M%S%Z
TRUNCATE=0
along with all combinations of
BREAK_ONLY_BEFORE_DATE = [true | false]
SHOULD_LINEMERGE = [true | false]
Having the same exact problem and I can't figure it out.
What’s the name of your two sourectypes ?
Where have you deployed them? SH or forwarder?