Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events with duplicate field extractions

cfernaca
Explorer
2 weeks ago

Good afternoon,

I have a monitoring architecture with three nodes with the Splunk Enterprise product. One node acts as SearchHead, one as Indexer and one for all other roles. I have a HEC on the indexer node to be able to receive data from third parties. The sourcetype configured to store the data is as follows:
[integration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = test
disabled = false
pulldown_type = 1
INDEXED_EXTRACTIONS = none
KV_MODE = json

My problem is that when I fetch the data, there are events where the field extraction is done in duplicate and others where the field extraction is done only once.

Please, can you help me?

Best regards, thank you very much

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
Super Champion
2 weeks ago

Hi @cfernaca 

The duplicate field extractions are likely due to multiple or conflicting search-time field extraction configurations applying to the integration sourcetype. Since INDEXED_EXTRACTIONS = none is set, the issue occurs at search time. 

KV_MODE = json is generally sufficient for JSON data, but other configurations (e.g., REPORT-* or EXTRACT-* in props.conf) might be redundantly extracting the same fields.

Check for conflicting configurations usingbtool, Run this command on your Search Head's CLI to see all applied settings for your sourcetype and the source props.conf files:

splunk btool props list integration --debug

Look for REPORT-* or EXTRACT-* configurations that might be extracting fields already handled by KV_MODE = json.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

HEC sources, if writing to /event endpoint can provide own set of indexed fields beside the raw event. Also - with /event endpoint no line breaking takes place.

0 Karma
Reply

cfernaca
Explorer
2 weeks ago

So, what is the solution you propose?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

I can't propose any solution because I have no idea where the problem is. I don't even know which endpoint you're using. The remark about line breaking is just something worth knowing.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...