Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Values repeated in each field

AnujaJ
Path Finder
‎04-17-2019 06:45 AM

I am getting repeated values in Splunk fields. This can be seen only in Table view. For list view/raw there is no repetition seen. However, my search queries treat all these fields as multi-valued fields. I do not want the repeated values in the single valued field.

Values in Splunk
alt text

Props.conf
[kpi_json]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=json
KV_MODE=none
SHOULD_LINEMERGE=true
category=Structured
description=JavaScript Object Notation format. For more information, visit http://json.org/
disabled=false
pulldown_type=true
LINE_BREAKER=([\r\n]+)
TZ=Europe/Berlin
TIMESTAMP_FIELDS=@timestamp

Preview file
8 KB
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-17-2019 07:42 PM

Try these settings in props.conf on your Search Heads:

[YourSourcetypeHere]
KV_MODE = none
AUTO_KV_JSON = false

View solution in original post

Reply
Solved! Jump to solution

AnujaJ
Path Finder
‎05-17-2019 06:28 AM

I removed Indexed extractions from the prop.conf on UF. And that resolved my issue.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎04-17-2019 07:42 PM

Try these settings in props.conf on your Search Heads:

[YourSourcetypeHere]
KV_MODE = none
AUTO_KV_JSON = false
Reply
Solved! Jump to solution

AnujaJ
Path Finder
‎04-18-2019 12:49 AM

I have these settings on props.conf on UF. Is that the problem that I need to put these settings on SH?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-18-2019 05:33 AM

Yes, that is most definitely the problem.

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎04-17-2019 07:10 AM

It sounds like you want to dedup a multi-value field:

| eval a=dedup(a), b=dedup(b)
0 Karma
Reply
Solved! Jump to solution

AnujaJ
Path Finder
‎04-17-2019 07:17 AM

This is not a multivalued field. This is a single valued field. All fields except the date field are affected. I want all the fields to appear as single valued field. The json data has getting wrongly doubled values.

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎04-17-2019 06:56 AM

What is the search used to generate the table

0 Karma
Reply
Solved! Jump to solution

AnujaJ
Path Finder
‎04-17-2019 06:59 AM

index=kpi sourcetype=kpi_json

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...