Fixed it. In my case, I had to make sure that on the Splunk Cloud instance the same sourcetype was defined and also had KV_MODE = none . I had defined the type on my Universal Forwarder, but had not appreciated that some of the properties, like KV_MODE, are search time properties, and hence they would have to be defined on the search instance (not just the forwarded). I didn't have to use the AUTO_KV_JSON = false setting in the end. You put me on the right path though with the index vs search time double indexing - thanks! ... View more

Unfortunately, having both KV_MODE=none and AUTO_KV_JSON=false together in my props.conf did not fix the issue for me. I will do some tests to ensure the props.conf on the Universal Forwarder is definitely being applied. ... View more

In case it's important, I'm using Splunk Universal Forwarder 6.2.2 (build 255606) ... View more

I too have this problem. Using Splunk Cloud, if I upload a JSON file with the following settings: INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = true TIMESTAMP_FIELDS = time category = Structured description = JavaScript Object Notation disabled = false pulldown_type = true The data is imported correctly, no duplicate values. If I upload a file via a monitor on a Universal Forwarder with the following settings: INDEXED_EXTRACTIONS = json KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = true TIMESTAMP_FIELDS = time The value for each event is duplicated. If I change to have KV_MODE = json and reindex, it makes no difference for me, the values are still duplicated. ... View more