Re: independent stream forwarder field value dupli...

luckinfo · ‎03-17-2019

The field value is duplicated in independent Stream forwarder. Is there a workaround?

Version Splunk 6.5.5 and independent Stream forwarder 7.1.1

harsmarvania57 · ‎03-18-2019

This looks like INDEXED_EXTRACTIONS = JSON on UF side and KV_MODE = auto (This is default) or KV_MODE = json on search head is present and due to that it is extracting JSON event twice.

You need to set KV_MODE = none on search head for your sourcetype so search head will not extract this JSON event again.

On SH props.conf

[yoursourcetype]
KV_MODE = none

nickhills · ‎03-18-2019

Is this forwarded with useAck = true set on the forwarders outputs.conf?

If my comment helps, please give it a thumbs up!

nickhills · ‎03-18-2019

Scratch my comment - i misread 'field duplicated' as 'event duplicated'

If my comment helps, please give it a thumbs up!

independent stream forwarder field value duplication problem

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation