Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events with duplicate field extractions

cfernaca
Explorer
‎06-09-2025 12:11 PM

Good afternoon,

I have a monitoring architecture with three nodes with the Splunk Enterprise product. One node acts as SearchHead, one as Indexer and one for all other roles. I have a HEC on the indexer node to be able to receive data from third parties. The sourcetype configured to store the data is as follows:
[integration]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = test
disabled = false
pulldown_type = 1
INDEXED_EXTRACTIONS = none
KV_MODE = json

My problem is that when I fetch the data, there are events where the field extraction is done in duplicate and others where the field extraction is done only once.

Please, can you help me?

Best regards, thank you very much

 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-09-2025 12:30 PM

Hi @cfernaca 

The duplicate field extractions are likely due to multiple or conflicting search-time field extraction configurations applying to the integration sourcetype. Since INDEXED_EXTRACTIONS = none is set, the issue occurs at search time. 

KV_MODE = json is generally sufficient for JSON data, but other configurations (e.g., REPORT-* or EXTRACT-* in props.conf) might be redundantly extracting the same fields.

Check for conflicting configurations usingbtool, Run this command on your Search Head's CLI to see all applied settings for your sourcetype and the source props.conf files:

splunk btool props list integration --debug

Look for REPORT-* or EXTRACT-* configurations that might be extracting fields already handled by KV_MODE = json.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-09-2025 10:47 PM

HEC sources, if writing to /event endpoint can provide own set of indexed fields beside the raw event. Also - with /event endpoint no line breaking takes place.

0 Karma
Reply

cfernaca
Explorer
‎06-10-2025 12:33 AM

So, what is the solution you propose?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-10-2025 11:13 AM

I can't propose any solution because I have no idea where the problem is. I don't even know which endpoint you're using. The remark about line breaking is just something worth knowing.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...