Splunk Cloud Platform

Why does json data get duplicated after tabling the events?

kathhuynh
Explorer

I have a Splunk On Call webhook that is using a POST request to send data to my index and sourcetype. Anytime a user enters a chat message for an incident, it will fire the webhook and data immediately gets added to that sourcetype.


My issue: The raw events in the index and sourcetype show one event. However, when I table data, the values in each field gets duplicated with the same data as a multivalue field.

kathhuynh_0-1644957923780.png


Based on other Splunk Community questions, I've made some changes to the sourcetype settings:

[mysourcetype]
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldowntype = true

This did not fix the issue like it has for others.


I have tried creating sourcetypes a few different ways:

1. Going into Settings > Sourcetypes > selecting "New Source Type" and updating the settings.
2. Cloning _json sourcetype that Splunk has so I can keep the settings, but am still getting duplicate values when I table.
3 Going into Settings > Data Inputs > HTTP Event Collector > selecting "New Token" > creating a new sourcetype in "Input Settings"

 

I also noticed that the json events does not highlight syntax by default. Is this due to the KV_MODE being set to none?
Can I set it to json without duplicating my data?



Labels (3)
0 Karma
1 Solution

kathhuynh
Explorer

I tried replicating the sourcetype settings here and it did not work for my case:

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

 

However, since this data is coming from the Splunk On Call webhook, I found a solution:

I removed the AUTO_KV_JSON and INDEXED EXTRACTIONS settings and KV_MODE=json and the data is coming in with the correct format and not duplicating.

[mysourcetype]
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldowntype = true

I'm guessing the reason why it didn't work before is that INDEXED_EXTRACTIONS "
settings change the defaults for other settings in this subsection to appropriate values". It must have conflicted with my inputs.props and the other sourcetype settings somehow.

View solution in original post

kathhuynh
Explorer

I tried replicating the sourcetype settings here and it did not work for my case:

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-sourcetype-configuration-for-JSON-events-w...

 

However, since this data is coming from the Splunk On Call webhook, I found a solution:

I removed the AUTO_KV_JSON and INDEXED EXTRACTIONS settings and KV_MODE=json and the data is coming in with the correct format and not duplicating.

[mysourcetype]
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
disabled = false
pulldowntype = true

I'm guessing the reason why it didn't work before is that INDEXED_EXTRACTIONS "
settings change the defaults for other settings in this subsection to appropriate values". It must have conflicted with my inputs.props and the other sourcetype settings somehow.

PickleRick
SplunkTrust
SplunkTrust

Also, show us the raw event and how it's parsed into fields by splunk.

0 Karma

kathhuynh
Explorer

kathhuynh_0-1645033094937.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That is really interesting. Can you show us the parsed fields view as well? Because it looks as if the whole event was really being parsed twice creating mvfields of any fields...

0 Karma

kathhuynh
Explorer

Sorry - what do you mean by parsed fields "view"? 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

What you showed is a raw event (can be switched between raw view and syntax highlited view). Below that you should have a drop down menu with Event Actions and lower yet you should have a list of fields that are parsed from the event.

And do your search in verbose mode to get all fields!

0 Karma

kathhuynh
Explorer

Thank you. Also confirmed I am searching in Verbose. Here's a snippet of the parsed fields.

kathhuynh_0-1645040973419.png

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

As you can see in the field values - the fields are indeed parsed twice. So it's not a matter of the table command but splunk does see the fields with two values in each of them. I'd hazard a guess that there are some duplicated entries in your configs somewhere but it's hard to say where without going through all your props...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share the SPL that produced the table.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kathhuynh
Explorer

index=dev_training sourcetype=dev_alerts_logs
| table *

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...