Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Duplicate Values in REST API

vijaysri
Builder
‎07-16-2020 09:56 PM

Hi,

I am using below REST API Call and able to see the results - But it is giving me duplicate values.  

In splunk I am able to see only one log whereas in REST API Call I am able to see 3 logs.   Please let me know how to eliminate the duplicate values in REST API Call

https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export?output_mode=json&segmentation=none&latest_time=2020-07-15T00%3A05%3A00.000&earliest_time=2020-07-15T00%3A00%3A00.000&search=|savedsearch%20savedsearchname%20|search%20Code=XXX-10-12

Note: This duplicate value could be seen only for JSON Format, for other formats it is working fine. Let me know how to eliminate duplicate values for JSON Format

Labels (1)
Labels
Tags (2)
Reply

ngohel
Engager
‎10-19-2020 11:49 AM

Having the same issue. Is there any solution?

0 Karma
Reply

vijaysri
Builder
‎10-19-2020 06:02 PM

No solution.

The respective application team filtered the JSON result at their end.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 10:35 AM

I suggest filing a report with Splunk Support.

---
If this reply helps you, Karma would be appreciated.
Reply

inventsekar
Super Champion
‎10-19-2020 06:38 PM

As @richgalloway suggested, this look like a good candidate for Splunk Support ticket!

Reply

davidgogogo
Explorer
‎10-08-2020 12:15 AM

@richgalloway 
we met the same problem on Splunk Enterprise 7.2.6.
if we added the savedsearch like this

index=my_index
| dedup name
| table name value


and assume the savedsearch result is like this

namevalue
aa1
bb2


but if we use splunk export API, we will get the result like this

{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 07:10 AM
Can you reproduce the error using a "standard" saved search (one delivered with Splunk)? I don't have a saved search called "savedsearchname" with a Code field.
---
If this reply helps you, Karma would be appreciated.
Reply

vijaysri
Builder
‎07-17-2020 08:32 AM

@richgalloway 

Do you have a savedsearch named - License Usage Data Cube?

I have reproduced the error with this savedsearch.

In splunk - I ran this search for 1 minute and filtered one component where in splunk I am getting 1 log, when I try connecting the API with the same savedsearch for same timing and same filters applied, I am able to see 4 logs in JSON Mode.

Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...