Splunk Enterprise

Double value in the field

venkateshparank
Path Finder

We are ingesting AWS data through HF and I am seeing duplicate values for each field as shown in screenshot.

Few of the fields shows correct single value but most of the fields have double values.

I have added below settings in props.conf but no luck.

KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = json

 

venkateshparank_1-1598509908821.png

 

0 Karma

FritzWittwer1
Path Finder

INDEXED_EXTRACTIONS = json

Is applied during indexing, in addition to the _raw _time _indextime, host, source and sourcetype field, all fields form the json data in the _raw field is also indexed.

There is probably a KV_MODE=auto or json active during search time, so in addition to the indexed fields, the same fields are parsed from the _raw event.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!