Splunk Search

Why is the field count double the amount of total events?

Explorer

Hi there,

I am new to Splunk and have sent some dummy JSON-data to Splunk.

I notice that for example there are 20 events in Splunk, but when I look at the message.ip field, then it shows a count of 40. The strange thing is that with all field names, this is happening. It is all exactly 200%.

How is this possible?

EDIT: Even when I focus on 1 event, the event field will have a count of 2.

The event is:

{"message":{"event":"contentview","sessionID":"8cae4663-7a0d-f8a6-067f-71750f3674b5","userID":"3244430d-64a6-caeb-6e88-723409401f72","elementTagName":"NA","elementValue":"NA","elementName":"DVHN","ip":"::1","ua":{"ua":"Mozilla/5.0 (iPhone; CPU iPhone OS 9_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13B143 Safari/601.1","browser":{"name":"Mobile Safari","version":"9.0","major":"9"},"engine":{"version":"601.1.46","name":"WebKit"},"os":{"name":"iOS","version":"9.1"},"device":{"model":"iPhone","vendor":"Apple","type":"mobile"},"cpu":{}}},"severity":"info"}

Thanks.

0 Karma

New Member

If you have json field extraction at index time via

INDEXED_EXTRACTIONS = JSON

You need two additional lines to solve this problem

AUTO_KV_JSON = false
KV_MODE = none

Then stats are correct.

0 Karma

New Member

Try adding index=foo | spath = field_that_is_appearing_twice

0 Karma

Splunk Employee
Splunk Employee

@JosIJntema - Did the answer provided by briancrandall help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

0 Karma

Explorer

I was running into this issue and thought I'd post a comprehensive solution in addition to somesoni2's nudge in the right direction. First thing, yes, I was using indexed extractions. The problem is that in etc/system/default/props.conf you find this:

`[default]

AUTO_KV_JSON = true`

This means that by default Splunk is doing search-time extractions on all JSON. I added a stanza to etc/system/local/props.conf to turn that setting off for my data:

[my_sourcetype]
AUTO_KV_JSON = false

And that fixed the problem. Hopefully this helps other folks that come across this and saves them some time.

0 Karma

SplunkTrust
SplunkTrust

Seems like the fields extraction is done twice for your json data. Check the props.conf for your source type, it may have both INDEXED_EXTRACTIONS and KV_MODE (search time field extraction, preferred) property set. You should use any one.

0 Karma