Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

All fields are duplicate & MV. Needs to be single value.

ryhluc01
Communicator
‎05-07-2019 09:48 AM

Good Morning,

I need to do a stat avg on the time difference between results. Problem is all of my fields are both duplicate and multi-value (MV).
So,
1) Will the fact that every field is duplicate & MV affect the avg?
2) How can I efficiently make all of the data show up as a single field? This has to be within my search query because its a production environment and I do not have access to change how the data coming in.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-07-2019 10:09 AM

Your data is probably JSON and you are probably creating index-time fields because you are using INDEXED_EXTRACTIONS = json. This is all fine but when you do that, you need to make sure that you set KV_MODE = none for your sourcetype or you will get a 2nd search-time field extraction/creation which will duplicate and multi-value everything.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-07-2019 10:09 AM

Your data is probably JSON and you are probably creating index-time fields because you are using INDEXED_EXTRACTIONS = json. This is all fine but when you do that, you need to make sure that you set KV_MODE = none for your sourcetype or you will get a 2nd search-time field extraction/creation which will duplicate and multi-value everything.

0 Karma
Reply
Solved! Jump to solution

ryhluc01
Communicator
‎05-07-2019 11:27 AM

Thanks @woodcock where would I find this to be able to edit it?

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-07-2019 11:53 AM

It should be in props.conf on your Search Head. You need CLI (no GUI for this).

0 Karma
Reply
Solved! Jump to solution

ryhluc01
Communicator
‎05-08-2019 07:20 AM

Thanks : D

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...