Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Duplicate Values in REST API

VijaySrrie
Builder
‎07-16-2020 09:56 PM

Hi,

I am using below REST API Call and able to see the results - But it is giving me duplicate values.  

In splunk I am able to see only one log whereas in REST API Call I am able to see 3 logs.   Please let me know how to eliminate the duplicate values in REST API Call

https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export?output_mode=json&segmentation=none&latest_time=2020-07-15T00%3A05%3A00.000&earliest_time=2020-07-15T00%3A00%3A00.000&search=|savedsearch%20savedsearchname%20|search%20Code=XXX-10-12

Note: This duplicate value could be seen only for JSON Format, for other formats it is working fine. Let me know how to eliminate duplicate values for JSON Format

Labels (1)
Labels
Tags (2)
Reply

ngohel
Explorer
‎10-19-2020 11:49 AM

Having the same issue. Is there any solution?

0 Karma
Reply

VijaySrrie
Builder
‎10-19-2020 06:02 PM

No solution.

The respective application team filtered the JSON result at their end.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 10:35 AM

I suggest filing a report with Splunk Support.

---
If this reply helps you, Karma would be appreciated.
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2020 06:38 PM

As @richgalloway suggested, this look like a good candidate for Splunk Support ticket!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

davidgogogo
Explorer
‎10-08-2020 12:15 AM

@richgalloway 
we met the same problem on Splunk Enterprise 7.2.6.
if we added the savedsearch like this

index=my_index
| dedup name
| table name value


and assume the savedsearch result is like this

namevalue
aa1
bb2


but if we use splunk export API, we will get the result like this

{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 07:10 AM
Can you reproduce the error using a "standard" saved search (one delivered with Splunk)? I don't have a saved search called "savedsearchname" with a Code field.
---
If this reply helps you, Karma would be appreciated.
Reply

VijaySrrie
Builder
‎07-17-2020 08:32 AM

@richgalloway 

Do you have a savedsearch named - License Usage Data Cube?

I have reproduced the error with this savedsearch.

In splunk - I ran this search for 1 minute and filtered one component where in splunk I am getting 1 log, when I try connecting the API with the same savedsearch for same timing and same filters applied, I am able to see 4 logs in JSON Mode.

Reply
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
Top