Splunk Search

Why are Splunk Fields showing 200%?

HarperWCurran
Engager

Hi,

i am doing a search and noticing that i am getting 200% on the fields i troubleshooted and used this line at the beginning of my search 

KV_MODE = none
AUTO_KV_JSON = false

 however it instead returns with no events what so ever and i have the time on all time yet i still get nothing

please help 

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @HarperWCurran,

as @yuanliu said, these are options for props.conf, if you put them in the beginning of your search you're searching for these strings and obviously you don't find anything.

Could you share your search and a screenshot of the 200%?

Have you multivalues fields?

Ciao.

Giuseppe

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Those expressions are meant for props.conf, not in search language.  You need to check that sourcetype in props.conf to make sure that you don't have duplicate extraction.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...