Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Added _meta to default result in double counts.

rbal_splunk
Splunk Employee
Splunk Employee
‎03-07-2019 05:00 PM

unable to search data using SPL

index=test ssp=3538

following search does return the result

index=test ssp=*3538

To resolve the issue implemented

Fields.conf
[ssp]
INDEXED = True

After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.

Tags (2)
0 Karma
Reply

rbal_splunk
Splunk Employee
Splunk Employee
‎03-07-2019 05:00 PM

To see duplicate usedvalue for filed as used

index=test ssp=3538 | eval A=mvcount(ssp) | search A=2

Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate

We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.

It will be notice toe document it.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...