Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Duplicate Values in REST API

VijaySrrie
Builder
‎07-16-2020 09:56 PM

Hi,

I am using below REST API Call and able to see the results - But it is giving me duplicate values.  

In splunk I am able to see only one log whereas in REST API Call I am able to see 3 logs.   Please let me know how to eliminate the duplicate values in REST API Call

https://splunk-api-url:8089/servicesNS/nobody/appname/search/jobs/export?output_mode=json&segmentation=none&latest_time=2020-07-15T00%3A05%3A00.000&earliest_time=2020-07-15T00%3A00%3A00.000&search=|savedsearch%20savedsearchname%20|search%20Code=XXX-10-12

Note: This duplicate value could be seen only for JSON Format, for other formats it is working fine. Let me know how to eliminate duplicate values for JSON Format

Labels (1)
Labels
Tags (2)
Reply

ngohel
Explorer
‎10-19-2020 11:49 AM

Having the same issue. Is there any solution?

0 Karma
Reply

VijaySrrie
Builder
‎10-19-2020 06:02 PM

No solution.

The respective application team filtered the JSON result at their end.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 10:35 AM

I suggest filing a report with Splunk Support.

---
If this reply helps you, Karma would be appreciated.
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-19-2020 06:38 PM

As @richgalloway suggested, this look like a good candidate for Splunk Support ticket!

Reply

davidgogogo
Explorer
‎10-08-2020 12:15 AM

@richgalloway 
we met the same problem on Splunk Enterprise 7.2.6.
if we added the savedsearch like this

index=my_index
| dedup name
| table name value


and assume the savedsearch result is like this

namevalue
aa1
bb2


but if we use splunk export API, we will get the result like this

{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}
{"preview":false,"offset":0,"result": {"name": "a", value:"1"}
{"preview":false,"offset":1,"result": {"name": "b", value:"2"}

 

Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2020 07:10 AM
Can you reproduce the error using a "standard" saved search (one delivered with Splunk)? I don't have a saved search called "savedsearchname" with a Code field.
---
If this reply helps you, Karma would be appreciated.
Reply

VijaySrrie
Builder
‎07-17-2020 08:32 AM

@richgalloway 

Do you have a savedsearch named - License Usage Data Cube?

I have reproduced the error with this savedsearch.

In splunk - I ran this search for 1 minute and filtered one component where in splunk I am getting 1 log, when I try connecting the API with the same savedsearch for same timing and same filters applied, I am able to see 4 logs in JSON Mode.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...