Added _meta to default result in double counts.

rbal_splunk · ‎03-07-2019

unable to search data using SPL

index=test ssp=3538

following search does return the result

index=test ssp=*3538

To resolve the issue implemented

Fields.conf
[ssp]
INDEXED = True

After adding to Fields.conf we could search using >>>index=agcy-dns ssp=3538
We noticed that field ssp case giving a double count.

rbal_splunk · ‎03-07-2019

To see duplicate usedvalue for filed as used

index=test ssp=3538 | eval A=mvcount(ssp) | search A=2

Issue was meta was defined ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) in default stanza for inputs.conf , for search head ( inputs.conf with _meta settings) , and for indexer indexer(inputs.conf, the same _meta settings) resulted in two values because we do not deduplicate

We suspect it become like this ( _meta = org_id::d2e2 ssp::3548 org_id::d2e2 ssp::3548 ) and they were indexed twice.

It will be notice toe document it.

Added _meta to default result in double counts.

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

Added _meta to default result in double counts.

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025