Splunk Enterprise

Duplicate Values in REST API

VijaySrrie
Builder

Hi,

I am using below REST API Call and able to see the results - But it is giving me duplicate values.  

In splunk I am able to see only one log whereas in REST API Call I am able to see 3 logs.   Please let me know how to eliminate the duplicate values in REST API Call

https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export?output_mode=json&segmentation=none&latest_time=2020-07-15T00%3A05%3A00.000&earliest_time=2020-07-15T00%3A00%3A00.000&search=|savedsearch%20savedsearchname%20|search%20Code=XXX-10-12

Note: This duplicate value could be seen only for JSON Format, for other formats it is working fine. Let me know how to eliminate duplicate values for JSON Format

Labels (1)
Tags (2)

ngohel
Explorer

Having the same issue. Is there any solution?

0 Karma

VijaySrrie
Builder

No solution.

The respective application team filtered the JSON result at their end.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suggest filing a report with Splunk Support.

---
If this reply helps you, Karma would be appreciated.

inventsekar
SplunkTrust
SplunkTrust

As @richgalloway suggested, this look like a good candidate for Splunk Support ticket!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

davidgogogo
Explorer

@richgalloway 
we met the same problem on Splunk Enterprise 7.2.6.
if we added the savedsearch like this

index=my_index
| dedup name
| table name value


and assume the savedsearch result is like this

namevalue
aa1
bb2


but if we use splunk export API, we will get the result like this

{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}

 

richgalloway
SplunkTrust
SplunkTrust
Can you reproduce the error using a "standard" saved search (one delivered with Splunk)? I don't have a saved search called "savedsearchname" with a Code field.
---
If this reply helps you, Karma would be appreciated.

VijaySrrie
Builder

@richgalloway 

Do you have a savedsearch named - License Usage Data Cube?

I have reproduced the error with this savedsearch.

In splunk - I ran this search for 1 minute and filtered one component where in splunk I am getting 1 log, when I try connecting the API with the same savedsearch for same timing and same filters applied, I am able to see 4 logs in JSON Mode.

Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...