Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does INGEST_EVAL duplicate my events if I assign a value to _raw?

peter_krammer
Communicator
‎08-05-2021 06:58 AM

When I configure INGEST_EVAL to replace _raw with something else, it duplicates the event. 

Splunk Enterprise Version 8.2.1

props.conf:

Spoiler
[source::http:splunk_hec_token]
TRUNCATE = 500000
SHOULD_LINEMERGE = false
KV_MODE = json
TRANSFORMS-fdz_event = fdz_event

transforms.conf

Spoiler
[fdz_event]
INGEST_EVAL = _raw="Test"

Output:

splunk_duplicate.png 

Labels (2)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

peter_krammer
Communicator
‎08-05-2021 07:50 AM

I found a workaround to circumvent this bug. 

tranforms.conf

Spoiler
[fdz_event]
INGEST_EVAL = _raw="Test", queue=if(isnull(timestamp),"nullQueue", queue)

Because I notices that one of the duplicates has an indexed field "timestamp::none" and the other does not. With this I am routing only one of the to the nullQueue and keep the other.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

peter_krammer
Communicator
‎08-05-2021 07:50 AM

I found a workaround to circumvent this bug. 

tranforms.conf

Spoiler
[fdz_event]
INGEST_EVAL = _raw="Test", queue=if(isnull(timestamp),"nullQueue", queue)

Because I notices that one of the duplicates has an indexed field "timestamp::none" and the other does not. With this I am routing only one of the to the nullQueue and keep the other.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...