Solved: All fields are duplicate & MV. Needs to be single ...

ryhluc01 · ‎05-07-2019

Good Morning,

I need to do a stat avg on the time difference between results. Problem is all of my fields are both duplicate and multi-value (MV).
So,
1) Will the fact that every field is duplicate & MV affect the avg?
2) How can I efficiently make all of the data show up as a single field? This has to be within my search query because its a production environment and I do not have access to change how the data coming in.

woodcock · ‎05-07-2019

Your data is probably JSON and you are probably creating index-time fields because you are using INDEXED_EXTRACTIONS = json. This is all fine but when you do that, you need to make sure that you set KV_MODE = none for your sourcetype or you will get a 2nd search-time field extraction/creation which will duplicate and multi-value everything.

View solution in original post

woodcock · ‎05-07-2019

Your data is probably JSON and you are probably creating index-time fields because you are using INDEXED_EXTRACTIONS = json. This is all fine but when you do that, you need to make sure that you set KV_MODE = none for your sourcetype or you will get a 2nd search-time field extraction/creation which will duplicate and multi-value everything.

ryhluc01 · ‎05-07-2019

Thanks @woodcock where would I find this to be able to edit it?

woodcock · ‎05-07-2019

It should be in props.conf on your Search Head. You need CLI (no GUI for this).

ryhluc01 · ‎05-08-2019

Thanks : D

All fields are duplicate & MV. Needs to be single value.

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today