Hi,
I am using below REST API Call and able to see the results - But it is giving me duplicate values.
In splunk I am able to see only one log whereas in REST API Call I am able to see 3 logs. Please let me know how to eliminate the duplicate values in REST API Call
https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export?output_mode=json&segmentation=none&latest_time=2020-07-15T00%3A05%3A00.000&earliest_time=2020-07-15T00%3A00%3A00.000&search=|savedsearch%20savedsearchname%20|search%20Code=XXX-10-12
Note: This duplicate value could be seen only for JSON Format, for other formats it is working fine. Let me know how to eliminate duplicate values for JSON Format
Having the same issue. Is there any solution?
No solution.
The respective application team filtered the JSON result at their end.
I suggest filing a report with Splunk Support.
As @richgalloway suggested, this look like a good candidate for Splunk Support ticket!
@richgalloway
we met the same problem on Splunk Enterprise 7.2.6.
if we added the savedsearch like this
index=my_index
| dedup name
| table name value
and assume the savedsearch result is like this
name | value |
aa | 1 |
bb | 2 |
but if we use splunk export API, we will get the result like this
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
Do you have a savedsearch named - License Usage Data Cube?
I have reproduced the error with this savedsearch.
In splunk - I ran this search for 1 minute and filtered one component where in splunk I am getting 1 log, when I try connecting the API with the same savedsearch for same timing and same filters applied, I am able to see 4 logs in JSON Mode.