Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Duplicate entries in splunk search

krishna_11
Explorer
‎10-30-2020 10:45 AM

Hi Splunk experts

I need one help, the splunk search is giving me duplicate entries when I do a search. I have made sure that there are no duplicate events and I have also used dedup in my search. Still it gives me duplicates. Need your help. See the attached image.

Could you please let me know what could be the issue?

Thanks and best regards

Krishna

Labels (1)
Labels
Preview file
345 KB
Reply
1 Solution
Solved! Jump to solution
Solution

alonsocaio
Contributor
‎10-31-2020 05:54 PM

Hi @krishna_11 

I have tested a simple json file with this sourcetype settings:

[test:json]
INDEXED_EXTRACTIONS = json
SHOULD_LINEMERGE = 0
pulldown_type = 1

And It returned me duplicated values.

When I added KV_MODE = None to the sourcetype, It parsed the json correctly.

[test:json]
INDEXED_EXTRACTIONS = json
SHOULD_LINEMERGE = 0
KV_MODE = None
pulldown_type = 1

I would suggest you to test using the KV_MODE option to validate if It works for you.

View solution in original post

Reply
Solved! Jump to solution

alonsocaio
Contributor
‎10-30-2020 11:55 AM

Hi @krishna_11 , 

Which is the original format of the log entries? Is it JSON or XML?

Maybe you should validate if the sourcetype contains both INDEXED_EXTRACTIONS and KV_MODE set to JSON/XML. If both of them are set, try removing one of them, such as INDEXED_EXTRACTIONS=JSON and KV_MODE=None.

Reply
Solved! Jump to solution

krishna_11
Explorer
‎10-30-2020 02:26 PM

Hi @alonsocaio 

The original format of the log entries is JSON.

The sourcetype contains only INDEXED_EXTRACTIONS is set to JSON and I have not set KV_MODE at all.

Are there any other ideas? 

Best regards

Krishna

Reply
Solved! Jump to solution

alonsocaio
Contributor
‎10-31-2020 10:12 AM

Are you able to share your sourcetype configs?

Reply
Solved! Jump to solution

krishna_11
Explorer
‎10-31-2020 10:35 AM

Hi @alonsocaio 

Here is my source type config:

[source::...ta-audit-logs-ingester*.log*]
sourcetype = taauditlogsingester:log

[source::...ta_audit_logs_ingester*.log*]
sourcetype = taauditlogsingester:log

[Audit-Logs-Source]
INDEXED_EXTRACTIONS = json
SHOULD_LINEMERGE = 0
category = Splunk App Add-on Builder
pulldown_type = 1

 

Thank you so much for your help. Greatly appreciated.

Thanks and best regards

Krishna

Reply
Solved! Jump to solution
Solution

alonsocaio
Contributor
‎10-31-2020 05:54 PM

Hi @krishna_11 

I have tested a simple json file with this sourcetype settings:

[test:json]
INDEXED_EXTRACTIONS = json
SHOULD_LINEMERGE = 0
pulldown_type = 1

And It returned me duplicated values.

When I added KV_MODE = None to the sourcetype, It parsed the json correctly.

[test:json]
INDEXED_EXTRACTIONS = json
SHOULD_LINEMERGE = 0
KV_MODE = None
pulldown_type = 1

I would suggest you to test using the KV_MODE option to validate if It works for you.

Reply
Solved! Jump to solution

krishna_11
Explorer
‎11-02-2020 11:29 AM

Hi @alonsocaio 

I have been testing and it looks like your solution worked like a charm. Thank you so much for this amazing solution. Greatly appreciate it. I have been trying for quite some time and could not find any solution. 

You are a lifesaver 🙂

-Krishna

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...